Advisers’ Leading Role in Cybersecurity

It is important to ask what cybersecurity means to retirement plan service providers and fiduciary advisers—and what steps they can take to ensure the safety of participant assets and data.

Art by Carol Rollo

In the last decade, plan sponsors and participants have benefited in many ways from the greater use digital communications technologies. Thanks to the connectivity made possible by the Internet, it is now easier than ever for participants and sponsors to quickly access important plan information or enact changes.

At the same time, experts warn, the rapid introduction of digital communications in the financial services space means cybersecurity has become a top issue, one which is not necessarily receiving a sufficient amount of attention.  

This is why, in late in 2018, the ERISA Advisory Council requested guidance from the Department of Labor (DOL) on how employers should evaluate cybersecurity risks. The Council also asked that plan providers build a formal cybersecurity protection process and ensure all staff understand how these defenses work. Joining the Council, in February, federal lawmakers sent a letter to the U.S. Government Accountability Office (GAO), asking the research agency to examine cybersecurity deficiencies in the U.S. retirement industry.

Reflecting on how the cybersecurity topic impacts plan advisers, George Sepakos, principal at Groom Law Group, points out that the work of advisers today goes far beyond just giving investment advice. Instead, today’s plan advisers are commonly providing general financial wellness education and giving advice on money that resides outside the retirement plan. This means advisers and their clients are sharing more and more data through a growing number of potentially at-risk pathways. Advisers must be aware of this fact and take proactive measures to monitor the security of data transfers and sensitive information repositories. 

Apart from ensuring that they are meeting their own responsibilities, Sepakos says, advisers can help sponsors create incident response plans should there ever be a security breach in their online platforms.

Allison Itami, who also works as a principal at Groom Law Group, says the level of cybersecurity care demanded of a service provider to an ERISA-covered retirement plan will depend on the specific services being provided. For example, if a given entity is solely advising on the investment side at the plan level and is not interacting with individual participants in a fiduciary capacity, then monitoring cybersecurity may be a more straightforward matter.

“It would be the fiduciaries who have control over the participant data management and discretion over assets that would have to be most concerned with cybersecurity,” she explains. “When we talk about cybersecurity for fiduciaries, we’re talking about a general duty under ERISA’s prudence standards.”

Advisers anecdotally say that the topic of cybersecurity is becoming very prevalent in the request for proposal process—as plan sponsors seek new advisers, recordkeepers and other service providers. Advisers wanting to learn more about cybersecurity and the RFP process can turn to the SPARK Institute, which recently published a list of best practices that it says providers should use to report cybersecurity capabilities to plan sponsors and plan consultants. Another resource is the American Institute of Certified Public Accounts’ Employee Benefit Plan Audit Quality Center, which recently released guidance on protecting employee benefit plan records.

Advisers can also learn from the large-scale providers that are already taking steps to reinforce cybersecurity and safeguard participant and plan data. In 2018, Milliman introduced an account lock feature on its benefits participant portal, designed to allow participants to halt withdrawals and loan transactions. Earlier that year, John Hancock Retirement Plan Services offered reimbursements for eligible participants on unauthorized transfers made from 401(k) accounts. Some companies also already utilize proactive analytics to protect participants before they are subject to online threats.

At Voya Financial, predictive data is utilized to help look for potentially fraudulent activity, says Charlie Nelson, CEO of retirement and employee benefits.

“We use machine learning algorithms to identify suspicious account activities—transactions, customer interactions or profile changes—to help protect against fraudulent account takeovers and elder financial abuse,” he says. “We live in a world where all forms of financial services companies offer digital access to products and accounts. We believe that plan providers, plan sponsors and plan participants need to share in the responsibility to do everything we can to keep account information safe.  The more eyes we have on protecting accounts, the better we can protect information.”