Client Service February 21, 2020

Advisers Giving Back: The CAPTRUST Community Foundation

Though its giving efforts are expansive, the CAPTRUST Community Foundation’s vision is singular: 'Plain and simple, we want to enrich the lives of all children.'
Reported by

Art by Suharu Ogawa


Over the course of the past year, PLANADVISER’s Advisers Giving Back profile series has featured a wide variety of advisory firms engaged in many types of charitable and philanthropic activities.

Some of the firms, given their smaller footprints, are engaged in locally focused activities, for example teaching girls and young women in New York City about business and personal finance. Others, given their national presence, provide financial and volunteer support for many causes across the United States.

For more stories like this, sign up for the PLANADVISERdash daily newsletter.

As part of one of the largest retirement plan focused advisory firms in the U.S., the CAPTRUST Community Foundation (CCF) falls in the latter camp.

“Plain and simple, we want to enrich the lives of all children,” says Tiffany Larew, employee relations manager and the 2020 president of the CCF board of directors.

Over the 13 years it’s been in existence, the CCF has given away over a million dollars with that goal in mind. In some cases, it gives small grants directly to vetted charities, and in others, it provides larger grants and partners with charities to help them achieve “more than just money would provide.” Some recent recipients of support (both volunteer hours and monetary donations) include the Boys & Girls Club of Santa Barbara, TeamSmile, Kidznotes and the CORRAL Riding Academy.

Noble Purpose, Sophisticated Operation

Larew is acting as the organization’s board president in 2020 after having served on the CCF finance committee and as board treasurer. In taking on the role, she has worked closely with Devyn Duex, the 2019 CCF board president and an adviser in the firm’s Santa Barbara, California, office.

As Larew and Duex explain, the CAPTRUST Community Foundation has been so successful first and foremost because of enthusiastic support coming from the executive leadership, as well as from the firm’s advisers and support staff. But the CCF also continues to benefit from the efforts of its present and previous board leaders, who have made significant progress in institutionalizing and scaling the firm’s charitable efforts.

In its current form, the CCF is managed by its board of directors and five subcommittees, and its fundraising is conducted primarily through employee payroll deductions. Community fundraising also plays a part.

“It’s very gratifying to be able to give back to our communities at a regional and national level,” Larew says. “We have board members in Texas, Iowa, Ohio and other places—and we’re all working together towards the mission of helping children in our communities. It’s so important to the culture of our company. In early 2020, we already have done several projects. One was a ‘Fun Run’ event that raised $33,000 so far. Those are the sorts of events that build employee loyalty and a sense of community.”

To foster employee participation beyond the payroll deduction donations, CAPTRUST grants employees 16 hours of volunteer time as a voluntary benefit. A lot of people choose to use this time for CCF-sponsored events, but they can also spend their time supporting outside events.  

Duex recalls that one primary goal in 2019 for the CCF board was to work on several “operational sustainability and efficiency projects.”

“As the foundation continues to grow, including several new initiatives we have set to launch in 2020, our focus sharpened to ensure the foundation is set up structurally to handle the increased workflows,” Duex explains. “One of the areas [where] we saw opportunity was within accounting and finance, as well as in the grants processes. We also hired a bookkeeper to tackle day-to-day tasks and shifted oversight to the chair/treasurer, strengthening the ability for the foundation to ensure we meet our fiscal responsibilities.”

In addition to the partnership, crisis and small grants given out by the CCF, 2020 will see the launch of a new “project grant” program. Ideas for charities to support with these grants and associated staff volunteer hours will primarily be sourced from internal proposals. CAPTRUST employees will be able to file applications explaining their proposed project, how many CAPTRUST volunteers are needed, the requested grant amount, etc.

“In 2020, we are also launching an online grants portal to increase efficiency for applicants and reviewers while increasing the operational functionality through automated workflow processes, reporting, data review and archiving,” Duex says.

Duex and Larew note that every CAPTRUST Community Foundation representative or board member is a volunteer. As a 501(c)(3) entity, the foundation must comply with numerous regulatory requirements—including submitting annual reports to federal and state agencies for compliance. And when it approves a grant, each organization’s request goes through a vetting process beforehand to ensure that the organization is in good standing and that the CCF feels confident the money will directly impact children as much as possible.

Supporting Young Hearts and Minds

Larew says her experience working with the CCF has been personally enriching, adding that many of her colleagues feel the same way. She echoes the comments made by other advisory firms engaged in charitable and philanthropic work, suggesting these efforts generate great employee loyalty along with good will from local communities.

“Working with Kidznotes in 2018 was really interesting and rewarding,” Larew recalls. “They are a local music education group here in Durham, North Carolina, focusing on bringing music education to kids who would not otherwise get that opportunity. We have donated instruments and funds, and the kids have come here and played concerts as part of our year-end celebration. It was so special to see their talent and to be a part of that. In fact, one of the kids from our community went on to be a contestant on ‘America’s Got Talent.’”

Larew also points to the partnership with CORRAL Riding Academy as personally fulfilling for herself and other CAPTRUST staffers.

“The Riding Academy provides equine therapy for girls in need,” she explains. “In working with the academy, we got to do a team building lesson out there, and we actually learned a lot ourselves, as adults, about what the girls being helped there have gone through. It was an incredible opportunity to be able to experience that.”

Another experience that comes to mind for Larew is working with the Boys & Girls Club of Santa Barbara, California, following the recent fires and mudslides.

“Some of the Santa Barbara community is very affluent, but other areas are facing real economic hardship,” she explains. “Less affluent places really suffered from the flooding and mudslides that happened in the region. Our support for this organization allowed kids to go to summer camps when they didn’t have anywhere else to go.”

Compliance February 20, 2020

Cybersecurity Strategies for the Adviser Industry

Effective cybersecurity strategies start with the right tone at the top, with senior leaders who are committed to improving their organization’s digital posture.
Reported by

Art by Harry Campbell


Retirement plan advisers not only have rigorous cybersecurity responsibilities of their own—they also need to proactively help their plan sponsor clients establish airtight cybersecurity firewalls and procedures, industry experts say.

“Offering the ability to help plan sponsors with cybersecurity protections has become a huge barrier to winning larger clients, and this will inevitably move down market,” says Jon Meyer, chief technology officer at CAPTRUST. “Something similar happened in banking 15 years ago, when the Office of the Comptroller of the Currency told banks they would hold whatever entities they hired to the same standards applying to the banks. You are now seeing similar pressures in the advisory world.”

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters.

As a result, Meyer says, practices now need an information technology (IT) person dedicated to cybersecurity, as the pressure on firms and sponsors to be able to mitigate cybersecurity threats grows and grows. Meyer says the best way for sponsors to begin this journey is to hire a competent security assessor to do a baseline assessment of protections and vulnerabilities.

“It requires a significant investment, but the outcome is a good view of where the firm needs to improve policy, process, procedure and technology,” he suggests. “Frequently, people think it is just a technology issue, but the guidance shows that policies, processes, procedures and technology all have to line up, including having multifactor authentication processes in place and training employees on what to do if they receive spam.”

A valuable resource that can help guide the types of procedures sponsors should have in place is a white paper that the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations has put out, “Cybersecurity and Resiliency Observations.” In addition, the SEC maintains a Cybersecurity Spotlight webpage that provides cybersecurity-related information and guidance.

Top Down Cybersecurity

The SEC’s white paper says that “effective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate and mitigate cybersecurity risks.”

This starts, as Meyer suggested, with a risk assessment to identify, analyze and prioritize cybersecurity risks to the organization. It is also important, the SEC says, to have written cybersecurity policies and procedures to address those risks, and to effectively implement those procedures.

For instance, the SEC says, organizations should know where sensitive data resides and restrict access to systems and data only to authorized users. Companies should also use tools and processes to secure data and systems, including encrypting “data in motion” both internally and externally, and encrypting data “at rest” on all systems—including laptops, desktops, mobile phones, tablets and servers.

Additionally, the SEC explains, employee training and awareness are key components of cybersecurity programs. Meyer agrees, saying it is imperative to get all employees “thinking about the risks that are out there.”

Advisory practices themselves should revisit their cybersecurity practices and protections at least once a year, Meyer says. CAPTRUST, in fact, does “penetration testing twice a year along with daily scans of our infrastructure,” he says. “A lot of effort goes into this. Our standards are high.”

Study Your Vendors

In conjunction with helping plan sponsor clients establish internal cybersecurity procedures, advisers should also help them assess the procedures of all of the vendors serving their plan, says William Byron, southeast regional managing director with advisory practice NFP. “There is a very wide difference among vendors. For instance, you would be surprised how many third-party administrators do not employ dual-factor authentication.”

Jason Novak, senior vice president of security and IT operations at eMoney Advisor, echoes those sentiments.

“Advisers need to ask their vendors the important questions to make sure they are taking appropriate steps to protect client data,” Novak says. “Make sure they are using a multidimensional strategy to secure against security threats that includes two-factor authentication, encrypting data at rest and in transit, regularly updating operating systems and applications, mandating security training for employees and testing security with annual audits.”

In line with this, Byron says, it is important for advisers and sponsors to analyze what kinds of investments vendors are making in their cybersecurity technologies. For instance, he says, one “very interesting emerging technology is voice print technology, using each individual’s voice like a fingerprint. Those are the kinds of investments larger firms are making.”

Established Frameworks

There are established IT compliance framework controls that vendors should have in place, says Evan Taylor, senior vice president and risk consultant at NFP, who earlier in his career spent six years with the FBI conducting cyber investigations. “Two of the most well established and accepted frameworks are the ISO and NIST frameworks,” Taylor says. “Those will show sponsors and advisers that the vendors are handling data properly.”

Charlie Nelson, CEO of retirement and employee benefits at Voya Financial, says his firm has “an extensive vendor risk assessment program to determine if vendors are compliant with our cybersecurity policies, standards and guidelines—such as data, network, application, system, mobile and cloud security. We also leverage threat intelligence, breach and system maturity data from both internal and external sources to perform dynamic risk assessments.”

Not only does Voya Financial use the NIST framework, but it also has “additional consideration from FINRA, NYDFS and the SEC,” Nelson says, referring to the Financial Industry Regulatory Authority and the New York Department of Financial Services.

Finally, it is also important for vendors to have cybersecurity insurance, so that if a breach occurs and a participant’s money is hacked, they can make the participant’s account whole, Byron says.

In conclusion, Nelson says, “providing counsel on cybersecurity best practices is yet another way advisers can help to distinguish themselves and demonstrate their value proposition.”

«