Compliance February 20, 2020

Cybersecurity Strategies for the Adviser Industry

Effective cybersecurity strategies start with the right tone at the top, with senior leaders who are committed to improving their organization’s digital posture.

Reported by

Lee Barney

Art by Harry Campbell

Retirement plan advisers not only have rigorous cybersecurity responsibilities of their own—they also need to proactively help their plan sponsor clients establish airtight cybersecurity firewalls and procedures, industry experts say.

“Offering the ability to help plan sponsors with cybersecurity protections has become a huge barrier to winning larger clients, and this will inevitably move down market,” says Jon Meyer, chief technology officer at CAPTRUST. “Something similar happened in banking 15 years ago, when the Office of the Comptroller of the Currency told banks they would hold whatever entities they hired to the same standards applying to the banks. You are now seeing similar pressures in the advisory world.”

Never miss a story — sign up for PLANADVISER newsletters to keep up on the latest retirement plan adviser news. 

As a result, Meyer says, practices now need an information technology (IT) person dedicated to cybersecurity, as the pressure on firms and sponsors to be able to mitigate cybersecurity threats grows and grows. Meyer says the best way for sponsors to begin this journey is to hire a competent security assessor to do a baseline assessment of protections and vulnerabilities.

“It requires a significant investment, but the outcome is a good view of where the firm needs to improve policy, process, procedure and technology,” he suggests. “Frequently, people think it is just a technology issue, but the guidance shows that policies, processes, procedures and technology all have to line up, including having multifactor authentication processes in place and training employees on what to do if they receive spam.”

A valuable resource that can help guide the types of procedures sponsors should have in place is a white paper that the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations has put out, “Cybersecurity and Resiliency Observations.” In addition, the SEC maintains a Cybersecurity Spotlight webpage that provides cybersecurity-related information and guidance.

Top Down Cybersecurity

The SEC’s white paper says that “effective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate and mitigate cybersecurity risks.”

This starts, as Meyer suggested, with a risk assessment to identify, analyze and prioritize cybersecurity risks to the organization. It is also important, the SEC says, to have written cybersecurity policies and procedures to address those risks, and to effectively implement those procedures.

For instance, the SEC says, organizations should know where sensitive data resides and restrict access to systems and data only to authorized users. Companies should also use tools and processes to secure data and systems, including encrypting “data in motion” both internally and externally, and encrypting data “at rest” on all systems—including laptops, desktops, mobile phones, tablets and servers.

Additionally, the SEC explains, employee training and awareness are key components of cybersecurity programs. Meyer agrees, saying it is imperative to get all employees “thinking about the risks that are out there.”

Advisory practices themselves should revisit their cybersecurity practices and protections at least once a year, Meyer says. CAPTRUST, in fact, does “penetration testing twice a year along with daily scans of our infrastructure,” he says. “A lot of effort goes into this. Our standards are high.”

Study Your Vendors

In conjunction with helping plan sponsor clients establish internal cybersecurity procedures, advisers should also help them assess the procedures of all of the vendors serving their plan, says William Byron, southeast regional managing director with advisory practice NFP. “There is a very wide difference among vendors. For instance, you would be surprised how many third-party administrators do not employ dual-factor authentication.”

Jason Novak, senior vice president of security and IT operations at eMoney Advisor, echoes those sentiments.

“Advisers need to ask their vendors the important questions to make sure they are taking appropriate steps to protect client data,” Novak says. “Make sure they are using a multidimensional strategy to secure against security threats that includes two-factor authentication, encrypting data at rest and in transit, regularly updating operating systems and applications, mandating security training for employees and testing security with annual audits.”

In line with this, Byron says, it is important for advisers and sponsors to analyze what kinds of investments vendors are making in their cybersecurity technologies. For instance, he says, one “very interesting emerging technology is voice print technology, using each individual’s voice like a fingerprint. Those are the kinds of investments larger firms are making.”

Established Frameworks

There are established IT compliance framework controls that vendors should have in place, says Evan Taylor, senior vice president and risk consultant at NFP, who earlier in his career spent six years with the FBI conducting cyber investigations. “Two of the most well established and accepted frameworks are the ISO and NIST frameworks,” Taylor says. “Those will show sponsors and advisers that the vendors are handling data properly.”

Charlie Nelson, CEO of retirement and employee benefits at Voya Financial, says his firm has “an extensive vendor risk assessment program to determine if vendors are compliant with our cybersecurity policies, standards and guidelines—such as data, network, application, system, mobile and cloud security. We also leverage threat intelligence, breach and system maturity data from both internal and external sources to perform dynamic risk assessments.”

Not only does Voya Financial use the NIST framework, but it also has “additional consideration from FINRA, NYDFS and the SEC,” Nelson says, referring to the Financial Industry Regulatory Authority and the New York Department of Financial Services.

Finally, it is also important for vendors to have cybersecurity insurance, so that if a breach occurs and a participant’s money is hacked, they can make the participant’s account whole, Byron says.

In conclusion, Nelson says, “providing counsel on cybersecurity best practices is yet another way advisers can help to distinguish themselves and demonstrate their value proposition.”

You Might Also Like:

Data & Research

May 29th, 2025

Most Americans Still Skip Basic Cyber Protections

According to a survey by digital security company Iris, 91% of Americans worry about AI threats to their personal data,...

Compliance

May 27th, 2025

Data Breach at Alera Exposed Data of More Than 10,000 Individuals

An external breach, which occurred last summer, may have exposed retirement plan participants’ personal data, such as Social Security numbers...

Data & Research

April 15th, 2025

Financial Firm Investment in Gen AI Surges, Cybersecurity Remains Priority

A Broadridge survey found a leap in firms’ investment plans for generative AI technology.

The Markets February 13, 2020

TDFs, Passive Funds and Income Products Shape the DCIO Landscape

Sources say plan sponsors are beginning to realize the value of differentiating services—from retirement income solutions to securities lending capabilities—now that costs have come down across the board.

Reported by

Lee Barney

Art by Tim Peacock

The most important development in the defined contribution investment only (DCIO) marketplace to consider is the fact that the lion’s share of assets are being attracted into the target-date funds (TDFs) offered by Vanguard, American Funds and State Street Global Advisors, says Chris Brown, principal and founder of Sway Research.

In fact, Sway’s third quarter 2019 report on DCIO sales shows that year-to-date through that quarter, DCIO assets were up an average of 14%—but Tier 1B firm’s assets were up 21.9%. Furthermore, year-to-date gross sales for the average Tier 1A firm were five times that of Tier 1B firms, 12 times the average of Tier 2 firms and 25 times the average for Tier 3. For context, Sway’s research breaks the DCIO market down into three tiers based on firms’ relative market share.

For more stories like this, sign up for the PLANADVISERdash daily newsletter. 

While plan sponsors have been seeking the lowest cost offerings from their DCIO providers, James Martielli, head of defined contribution (DC) advisory services at The Vanguard Group, says that sponsors are beginning to realize the value of “differentiating services,” now that costs have come down across the board.

“When cost differences are small, it comes down to such details as execution and performance—how well you manage the portfolio,” Martielli says. “Do you offer securities lending? What do you offer that goes beyond cost? We are seeing that dynamic play out on the larger end of the market. On the smaller end, clients are catching up.”

Mike Swan, client portfolio manager for defined contribution clients at SEI Institutional, also thinks the pendulum might be swinging away from over-concentration on low fees.

“Being solely focused on passive investments and reduced fees is shortsighted,” Swan says. “The focus needs to switch to value. For instance, we think 3(38) fiduciary services will be beneficial in the long term for most plan sponsors. It reduces the conflict in making investment decisions and allows plans to take action more quickly.”

Vanguard has also found that many of its plan sponsor clients are examining the glide paths of their TDFs to ensure they are the right solution for the demographics of their plan, Martielli says. To date, “there hasn’t been a significant difference between custom and off-the-shelf TDFs,” he says.

To that point, there is increased interest among sponsors for managed accounts from DCIO providers, says David Blanchett, head of retirement research at Morningstar. Indeed, Hartford Funds’ clients are increasingly asking about managed accounts, says Dave Hescheles, national sales manager.

“While the defined contribution market is still dominated by TDFs, sponsors are beginning to realize that plans can embrace the models of traditional wealth management,” Hescheles says. “The customization is what excites us—the ability to bring best-in-class managers to participants with very attractive prices.”

Likewise, more Voya Investment Management clients are seeking collective investment trusts (CITs), which used to only be available at the larger end of the market, says Mike DeFeo, managing director and head of DCIO. More sponsors also are inquiring about environmental, social and governance (ESG) investment, DeFeo adds.

“ESG is talked about more than utilized, but talk is starting to drive some action, as well,” he says.

A big development that is bound to affect the DCIO industry in the coming years—due to the massive amounts of Baby Boomers retiring and the passage of the Setting Every Community Up for Retirement Enhancement (SECURE) Act—is retirement income solutions, Brown says.

“While we have been talking about retirement income for 20 years, there really is a push now to figure out how to build income into products or deliver them as standalone in-plan offerings,” Brown says. “The SECURE Act has created opportunities for insurance wrap products to help participants hedge or minimize longevity and downside risk. This will be a clear way for DCIO providers to differentiate themselves.”

One recent example of such an offering was American Funds incorporating income into its TDFs, DeFeo notes. “More providers, including Voya, will be coming out with their own versions of that, including standalone retirement income offerings,” he adds. “Firms like Voya that have robust fixed income platforms are trying to figure out how to use that strength to provide unique investment opportunities in the market.”

Sponsors are increasingly interested in offering retirement income solutions, says Jordan Burgess, head of specialist field sales overseeing DCIO at Fidelity Institutional Asset Management. He notes that Fidelity’s annual Plan Sponsor Attitudes Survey has found that sponsors fear that 50% of their participants will not be able to cover essential expenses in retirement. This has also prompted 93% of sponsors to work with a financial adviser or investment professional, up from 70% in 2008, Burgess notes.

Moving forward, Voya is also exploring how to offer “access to private equity and other alternative levers and mechanisms that create wealth to retirement plan participants,” DeFeo says.

All in all, insiders point to a broadening of services by DCIO providers and a keener focus on the needs of participants and retirees.

You Might Also Like:

Client Service

October 31st, 2024

Many Financial Advisers Prioritize ‘Ease of Business’ From Asset Managers

Financial advisers are working with fewer asset managers, with ease of use and multi-channel digital capabilities among the differentiators, according...