Retirement plan advisers not only have rigorous cybersecurity responsibilities of their own—they also need to proactively help their plan sponsor clients establish airtight cybersecurity firewalls and procedures, industry experts say.
“Offering the ability to help plan sponsors with cybersecurity protections has become a huge barrier to winning larger clients, and this will inevitably move down market,” says Jon Meyer, chief technology officer at CAPTRUST. “Something similar happened in banking 15 years ago, when the Office of the Comptroller of the Currency told banks they would hold whatever entities they hired to the same standards applying to the banks. You are now seeing similar pressures in the advisory world.”
As a result, Meyer says, practices now need an information technology (IT) person dedicated to cybersecurity, as the pressure on firms and sponsors to be able to mitigate cybersecurity threats grows and grows. Meyer says the best way for sponsors to begin this journey is to hire a competent security assessor to do a baseline assessment of protections and vulnerabilities.
“It requires a significant investment, but the outcome is a good view of where the firm needs to improve policy, process, procedure and technology,” he suggests. “Frequently, people think it is just a technology issue, but the guidance shows that policies, processes, procedures and technology all have to line up, including having multifactor authentication processes in place and training employees on what to do if they receive spam.”
A valuable resource that can help guide the types of procedures sponsors should have in place is a white paper that the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations has put out, “Cybersecurity and Resiliency Observations.” In addition, the SEC maintains a Cybersecurity Spotlight webpage that provides cybersecurity-related information and guidance.
Top Down Cybersecurity
The SEC’s white paper says that “effective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate and mitigate cybersecurity risks.”
This starts, as Meyer suggested, with a risk assessment to identify, analyze and prioritize cybersecurity risks to the organization. It is also important, the SEC says, to have written cybersecurity policies and procedures to address those risks, and to effectively implement those procedures.
For instance, the SEC says, organizations should know where sensitive data resides and restrict access to systems and data only to authorized users. Companies should also use tools and processes to secure data and systems, including encrypting “data in motion” both internally and externally, and encrypting data “at rest” on all systems—including laptops, desktops, mobile phones, tablets and servers.
Additionally, the SEC explains, employee training and awareness are key components of cybersecurity programs. Meyer agrees, saying it is imperative to get all employees “thinking about the risks that are out there.”
Advisory practices themselves should revisit their cybersecurity practices and protections at least once a year, Meyer says. CAPTRUST, in fact, does “penetration testing twice a year along with daily scans of our infrastructure,” he says. “A lot of effort goes into this. Our standards are high.”
Study Your Vendors
In conjunction with helping plan sponsor clients establish internal cybersecurity procedures, advisers should also help them assess the procedures of all of the vendors serving their plan, says William Byron, southeast regional managing director with advisory practice NFP. “There is a very wide difference among vendors. For instance, you would be surprised how many third-party administrators do not employ dual-factor authentication.”
Jason Novak, senior vice president of security and IT operations at eMoney Advisor, echoes those sentiments.
“Advisers need to ask their vendors the important questions to make sure they are taking appropriate steps to protect client data,” Novak says. “Make sure they are using a multidimensional strategy to secure against security threats that includes two-factor authentication, encrypting data at rest and in transit, regularly updating operating systems and applications, mandating security training for employees and testing security with annual audits.”
In line with this, Byron says, it is important for advisers and sponsors to analyze what kinds of investments vendors are making in their cybersecurity technologies. For instance, he says, one “very interesting emerging technology is voice print technology, using each individual’s voice like a fingerprint. Those are the kinds of investments larger firms are making.”
There are established IT compliance framework controls that vendors should have in place, says Evan Taylor, senior vice president and risk consultant at NFP, who earlier in his career spent six years with the FBI conducting cyber investigations. “Two of the most well established and accepted frameworks are the ISO and NIST frameworks,” Taylor says. “Those will show sponsors and advisers that the vendors are handling data properly.”
Charlie Nelson, CEO of retirement and employee benefits at Voya Financial, says his firm has “an extensive vendor risk assessment program to determine if vendors are compliant with our cybersecurity policies, standards and guidelines—such as data, network, application, system, mobile and cloud security. We also leverage threat intelligence, breach and system maturity data from both internal and external sources to perform dynamic risk assessments.”
Not only does Voya Financial use the NIST framework, but it also has “additional consideration from FINRA, NYDFS and the SEC,” Nelson says, referring to the Financial Industry Regulatory Authority and the New York Department of Financial Services.
Finally, it is also important for vendors to have cybersecurity insurance, so that if a breach occurs and a participant’s money is hacked, they can make the participant’s account whole, Byron says.
In conclusion, Nelson says, “providing counsel on cybersecurity best practices is yet another way advisers can help to distinguish themselves and demonstrate their value proposition.”