In Practice October 13, 2023

The PLANADVISER Interview: Kourtney Gibson, Chief Institutional Client Officer, TIAA

The head of the firm’s retirement solutions group talks guaranteed income, the savings gap and treating consultants and advisers as clients.
Reported by

Kourtney Gibson

Kourtney Gibson joined TIAA more than one year ago as chief institutional client officer, leading the team’s retirement solutions business in areas that include strategy, sales, services management and participant consulting and guidance.

She helms the position at a crucial time in the retirement industry. The SECURE 2.0 Act of 2022 has brought both mandated and optional changes to the industry on a rolling basis. Guaranteed income, of which TIAA has been a leader on 403(b) plans, is looking to find its place among defined contribution plans. Meanwhile, the retirement savings gap still looms as a massive problem as the country reaches so-called “Peak 65” retirement next year.

For more stories like this, sign up for the PLANADVISERdash daily newsletter.

Gibson has been hitting the challenge head on. In her time at TIAA, she has reorganized the team working with clients, made new hires and even changed her group’s name to better focus on its retirement solutions goals. She spoke with PLANADVISER about these and other initiatives.

PLANADVISER: You’ve been at TIAA for about a year now. Tell us about your role and the background you brought from investment bank and advisory Loop Capital?

GIBSON: I lead TIAA’s core retirement business, overseeing the development and distribution of strategies and services for institutional clients, consultants and in-plan participants, reaching over 15,000 plan sponsors and millions of their employees. My business segment accounts for $740 billion of the firm’s $1.2 trillion in assets under management.

It’s a challenging and rewarding role that allows me to use all the skills I gained in two decades at Loop Capital. As a wife and mother of four, my family is very important to me. Faith and family are top priorities.

I left Loop Capital from the position of executive vice chairman. In that role, I was responsible for setting long-term strategy and aligning talent and other resources to deepen client relationships. I oversaw corporate, governmental, institutional and consultant client relations and led multiple functions, including asset management, strategy, sales and trading.

My vastly wide and deep experience, built on a firm foundation of relationship-building and financial strategy, business and investment acumen, positioned me well for my work here at TIAA.

PLANADVISER: Why did you choose to join TIAA and this industry?

GIBSON: I was attracted to TIAA’s mission of helping people retire with dignity. TIAA is addressing the retirement crisis head-on. I’m proud of that and of what we’re going to accomplish in the future. TIAA has an incredible opportunity to take the blueprint that it has used to more Americans.

TIAA’s asset manager, Nuveen, is of the world’s largest investment managers that delivers award-winning investment capabilities across asset classes. That, along with our wealth management business, are incredible advantages for TIAA’s clients, and we offer outcome-oriented solutions to help clients reach their long-term goals.

In addition, the TIAA General Account is a difference-maker. It is a liability-driven investment portfolio specifically built around delivering lifetime retirement income solutions through TIAA Traditional, as well as other retirement products like the Secure Income Account. TIAA invests in private asset classes to leverage specific expertise within Nuveen and to build long-term, higher-return capital appreciation potential for the portfolio. It is a source of diversification and non-correlated risks relative to the rest of the portfolio.

Because our corporate structure returns profits to participants, our participants can have the benefit of exposure to alternatives through the general account, without it being an individual selection within a plan.

PLANADVISER: What are your impressions of TIAA’s plan sponsor client base and how the firm is looking to meet its needs?

GIBSON: Over the past year, I’ve focused on fine-tuning our client relationships. We’ve done this in various ways. For example, we changed our segment name to Retirement Solutions, which represents our focus on understanding our clients’ needs and serving as their advocates to influence the development of offers and solutions. We’ve also laid out a multi-year strategy for our business segments that includes vastly expanding access to lifetime income to more Americans and making sure we’re serving clients with excellence, efficiency and speed.

That strategy includes building out our leadership team, adding some key hires and aligning resources to best serve clients and expand the distribution of our guaranteed lifetime income default products.

PLANADVISER: What is your relationship like with retirement consultants and plan advisers right now?

GIBSON: Organizationally, from our CEO down, we view consultants as clients. We are in the relationship business, built on trust. We are delivering for them.

In our annual consultant survey that took place in Q4 2022, approximately 60 consultants serving TIAA clients rated the consultant support they receive from us as “best in class” when compared to our competitors.

This rating stems from TIAA specifically prioritizing the role of consultants. Since January, I have met with 10 different consultant firms, made up of over $375 billion in assets and 880+ clients. We are open to their feedback and view them as partners in our fight to close the retirement gap for more Americans.

Commitment to technology: This is a key focus. We have made huge investments in technology to make it simpler to do business with us. BusinessEdge is our consultant portal. We have added capabilities so that advisers can manage their entire book of business with us. We have seen an overwhelmingly positive response to BusinessEdge.

We are also building out retirement adviser support. So we’re investing in technology, but also in people. Finding the right talent across the industry is challenging, so we’re leveling up to invest in people. Many of the people on my team are former consultants. 

PLANADVISER: As noted, lifetime income is a focus for you and the team. But in speaking with advisers, many are skeptical of leveraging it in retirement plans. How do you approach them?

GIBSON: Consultants are at the front line of educating plan sponsors and investment committees about the potential benefits of adding lifetime income to their plans and how to do that as a plan fiduciary.

Seven out of our top 10 clients have implemented or are looking to implement lifetime income in their default solution within the next 12 months. Our partners in the consultant community played an important role in that. The feedback has been tremendous.

Our RetirePlus is a tested and proven solution that offers our clients enhanced retirement security. It’s a retirement plan default solution that uses TIAA Traditional as the fixed‐income portion of the portfolio.

Consultants are aware that RetirePlus is the retirement plan of the future, and they want to engage. They are hungry for knowledge on how solutions work, how they help participants and plan sponsors, and how to implement solutions and support that decision.

When one of our largest clients adopted RetirePlus, projected retirement income increased 24% on average for their employees. That’s the equivalent of an extra $7,000 per year. Notably, their account expenses dropped 55% at the same time.  

Another accomplishment that I’m particularly proud of: We have increased the number of personalized advice sessions by 28% year over year, truly making a difference in creating a better future for the people we serve.

PLANADVISER: What is on the horizon?

GIBSON: Every American deserves a secure retirement, but most working people who are trying to save for retirement don’t have the right tools.

Also, there are many risks that erode savings, and these are larger issues that most individuals cannot solve by themselves:

  • Longevity: There is a 46% chance that one partner of a couple aged 65 will live to 95;
  • Market: During 2008-2009, there was a 47% drop in the stock market;
  • Cognitive: More than 5 million Americans may have dementia; and
  • Inflation: Recently, we have seen the highest levels in more than 40 years. It erodes purchasing power over time.

In this system, 40% of all Americans will run out of money. Are we good with that?

There’s an opportunity here to do better. If Americans are better equipped for retirement, it will have broader positive implications on the economy and society.

A low-cost, in-plan annuity can offer guaranteed income that can never be outlived, reducing volatility and providing stable returns without sacrificing performance.

That means that in addition to stocks and bonds, you have an in-plan annuity that provides you a guarantee that, regardless of the market, it won’t go negative. You won’t outlive it. Plus, it can complement your overall financial allocation in planning for retirement.

Lifetime income can also serve as an additional lifeline for Americans who rely, or expect to rely, on entitlements like Social Security.

The Social Security Administration has said that future changes to the program are certain and that those changes should reflect the “desires of each new generation.” Adding a lifetime income option to a retirement plan can help to hedge against any potential changes made to this critical program.

Finding ways to close these gaps and secure the retirement futures for more Americans is a critical part of TIAA’s company’s mission—it’s what we are fighting for every day.

Practice Management October 1, 2023

MOVEit Hack a Lesson as Digital Threats Increase

Experts say the incident revealed how to combat the stealing and selling of personal data, but participants remain vulnerable to the next hit.
Reported by

Art by Karlotta Freier


A recent data breach known as the MOVEit hack has affected more than 2,000 organizations and at least 60 million people, according to the latest tracking by KonBriefing. That list will likely keep growing.

Among those hit were millions of retirement plan participants, in large part due to a breach at Pension Benefit Information, a data vendor working with numerous large recordkeepers and state-run pension systems.

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters.

In short: The hackers got access to participant data via some of the largest and most respected institutions in the industry. Lawsuits are coming, targeting not just PBI, but the firms who used it as a vendor.

What, then, is a plan fiduciary to do?

Experts have a number of suggestions that, while they may not be able to stop future breaches, will help a fiduciary be covered should they occur. Suggestions often start with following the Department of Labor’s April 2021 guidance on cybersecurity for the retirement industry, but they also include baking in a regular system of assessment when procuring and working with vendors, participating in mock data breach exercise, and being ready for audits, should they occur.

Information for Sale

In many cybersecurity cases in recent years, hackers used a method known as ransomware, in which they locked up a company’s data and demanded a ransom to release it. More recently, hackers are going straight after personal data, such as the participant information available held with MOVEit, a file transfer software company owned by Progress Software Corp. Hackers then sell that information on the “dark web” in batches to criminals, says Marc Bleicher, chief technology officer at Surefire Cyber.

Bleicher says the data tends to have a “shelf life” of about three months as companies start notifying participants of the breach and providing identity theft solutions. A person’s Social Security number, he says, can “fetch $2 to $5” per account, and other personal identifiable information such as financial accounts or passport numbers can be as high as $1,000 per account.

“I would assume that any transactions for [the MOVEit data] would have gone pretty quickly,” Bleicher says. “Meaning that they would have put it on there, and somebody would have purchased it and done something with it rather quickly.”

That “something,” in the case of retirement participants, may have been calling or contacting savers and posing as their retirement service providers to get at funds. The fraudsters may use tactics such as saying there has been an address change at the firm and a payout needs to be sent to keep the account active, Bleicher says.

“The victim has no idea what’s going on,” Bleicher says. “I would imagine that probably was one of the objectives here [with the MOVEit breach].”

Bleicher also notes that, when it comes to retirement accounts, hackers would likely be targeting older participants not just because they may not be as tech savvy, but because in this case, they may be more likely to respond to a query about retirement needs.

“They’re kind of a low-hanging fruit for the attacker,” he says.

Overlooked

Despite the MOVEit hack hitting participant accounts, the situation will not necessarily change the current state of cybersecurity awareness in the retirement industry, says Joseph Lazzarotti, a principal in Jackson Lewis PC who works with ERISA clients on cyber issues.

He notes that there have been other massive breaches over the years, but cybersecurity can be hard for companies to keep up with, especially if they are midsize or small firms, along with the plan advisers who work with them.

“The vast majority of retirement plans from employees are in the middle of the market,” Lazzarotti notes. “Those [owners and managers] are wearing a lot of hats, and they don’t have the purse strings for cybersecurity.”

As retirement plan fiduciaries, companies are often more focused on plan investments, fees and day-to-day administration.

“That’s just their retirement plan hat, not to mention their health and welfare hat and their payroll hat and others,” he says. “It really is a challenge.”

Lazzarotti says many companies view their recordkeeper as the only vendor they have to focus on. They often assume, especially when it is a large firm, that “they know what they’re doing.” But the reality is that companies, and those advising them, need to probe and ask questions of those big vendors as well, both to assess the answers, but also to show they are watching cybersecurity.

The attorney notes that, while companies should loop their information technologies teams into the process, those IT staffs may not be experts in the latest types of cybersecurity threats. They may be best, he says, to help with approaching vendors, who can then show that they are aware and have specialists watching out for the security of participant data.

“If I’m a retirement plan sponsor of a mid-market company,” Lazzarotti says, “you can’t assess every vendor to the same extent. But you do go through a procurement process, and so you should make as part of the procurement process a question around what amount of risk the vendor presents and then base your assessment on their answers.”

Liability Can’t Be Outsourced

One of the biggest misconceptions among plan sponsors is that they are not responsible for cybersecurity breaches that occur at one of their vendors, says Mario Paez, national cyber risk leader at Marsh McLennan Agency LLC. He notes that 2021 Department of Labor guidance has gone a long way in combatting that misconception, but he still often gets the question when working with clients.

“There’s this thought [among clients] that: ‘Great, I may collect this data, but it’s routed to a third party for the processing and the storage—the safekeeping of that—so I’m outsourcing my liability, correct?’” Paez says. “The answer to that is: ‘No. No, you are still very much responsible.’”

Paez, however, notes that the expectation is not for plan sponsors to be immune from breaches. It is that they show, on a consistent basis, they are monitoring and assessing their vendors in terms of digital protection.

Service providers must also be keeping up with cybersecurity concerns and have an incentive beyond just avoiding a breach.

“As a service provider, to gain $10 million, $20 million or $50 million in cybersecurity insurance coverage, I better have my act together to demonstrate that I am insurable in order to conduct my business and be compliant with most contracts,” Paez says.

That means the cybersecurity relationship can go in the other direction. In some cases, service providers can offer to work with a plan adviser or sponsor on their own cybersecurity, Paez says. Particularly in the case of small plan sponsors, the providers might use it as a “marketing tool” in terms of offering them cybersecurity review and assistance.

All of this work, Paez says, is crucial for plan fiduciaries to be prepared in case of an audit so they can show due diligence.

“It’s not a set-it-and-forget-it approach,” he says. “It’s a continual journey that is about the maturation in the contracting by the plan sponsors and the various service providers in that corporate supply chain.”

Play It Out

Paez recommends one key exercise plan fiduciaries can do both internally and with vendors and providers: a mock simulation of a data breach.

“On the retirement side, [plan fiduciaries] should look through that scenario… and see what that process looks like,” he says.

This type of preparation is also crucial because, Paez says, if and when a breach does occur, lawsuits will likely follow in which decision making by the fiduciaries will be closely scrutinized. Even if employers have a great relationship with their employees, he notes, lawsuits will ensue if information or finances are stolen.

“If I’m an employee, I may look at my employer and say, ‘Well, why was this [service provider] selected?’ That’s where the plaintiffs’ bar can be very creative to turn over every stone to look for different pockets of funds,” Paez says.

The MOVEit breach has already brought a slew of lawsuits against some of the providers involved, including TIAA, Fidelity Investments and PPI. While those cases may be playing out for years, they may also serve as reminders to the industry, says Surefire Cyber CTO Bleicher.

“Moving forward, I think this is a great lesson,” he says. “I tell all my clients to treat any third-party service or product provider as an extension of your team and apply the same information and security standards that you would internally to assessing whether they’re the right vendor for you.”

«