Why Data Security Is a ‘Shared Responsibility’ for Advisers

A retirement plan’s participant data are of immense value, and access to that data is an ongoing debate, as evidenced by the dispute between Fidelity Investments and technology firm Pontera Solutions Inc., as well as a participant lawsuit against Empower Annuity Insurance Co. of America. While some third-party vendors push for more integrated services, data owners may be concerned about sensitive data exposure. Artificial intelligence can potentially unleash a myriad of tactics to breach security, using everything from convincing deepfakes to undetectable phishing emails.

Akshay Dhawan

In the recently released 2026 PLANSPONSOR Defined Contribution Plan Benchmarking Report, respondents chose “cybersecurity guidance on participant data protection” as the most valued third-party service. Akshay Dhawan, senior managing director at FTI Consulting, has helped leading financial services companies across retirement, banking, insurance and investment management sectors perform cybersecurity assessments, as well as implement and improve security measures. He recently spoke with PLANADVISER, reflecting on his more than 20 years of experience and sharing how companies and individual advisers all play a part in improving cybersecurity.

PLANADVISER: As artificial intelligence becomes more ubiquitous, has your job gotten harder or easier?

Akshay Dhawan: It’s both. It’s made things easier for most of us, but it makes things more complicated when it comes to the capabilities now available to everybody to make more sophisticated attacks. A very simple example is: We all have been getting these phishing emails for God knows how long. Now it’s oftentimes hard to judge if they are fake or real. More people are falling prey to that, and credentials get compromised, data gets lost. I always feel like the human is the weakest link in security. Threat actors will find a way to deceive someone through the use of AI, whether it is through facial recognition technologies or voice technologies.

But on the flip side, security professionals are also getting smarter in terms of using AI to their advantage. Not only is it becoming easier for criminals, but it’s also becoming a little bit easier for security professionals to use some level of degree of sophistication. Multi-factor authentication is already a standard in the industry. We will see more and more of that.

PLANADVISER: What elements should a financial advisory business keep in mind as it improves its own security?

Dhawan: Security web design—start with that. Security professionals should be very actively engaged with their teams as they are designing new systems, getting more involved as those designs turn into actual implementations. When the code build is happening, the security team guides them to the right path on checkpoints they need to be thinking about.

PLANADVISER: What obligations does a financial advisory business have regarding its own data?

Dhawan: The most-visited topic that I have with financial services and advisers is access. Organizations share customer data among their team—that sharing, while it may be appropriate, needs to be revisited frequently. People come and go, so [companies] want to ensure that only the right people are seeing that data.

Some of this is sensitive data—names, addresses, phone numbers, Social Security numbers, 401(k)s, investment information, so on and so forth. Some [employees] may not be serving that customer or client directly, but they may have access to that data. Do they really need that level of access? If they do, what are the limitations around it?

PLANADVISER: What should advisers keep in mind as they look for a third-party vendor that could host sensitive data about their company or clients?

Dhawan: Always start with doing security assessment on the third-party provider. How long have they been around? Determine what their security protocols are. Request a SOC [System and Organization Controls] report—it’s a very common third-party assessment report. It will also demonstrate a level of maturity from the provider, if they’ve got a SOC report.

Ask more specific questions about the types of services you’re procuring. How is the security of that service maintained? Do they have insurance policies? Have they had a breach and, if so, did they lose customer data, etc.? Will those resources all be in the U.S. or outside the United States? What types of clearances do they have? Can they take pictures of sensitive information or copy-paste that information? A number of things determine the security controls of the third party, and there are standard industry questionnaires. The SIG [Standardized Information Gathering] questionnaire is a great start.

If you make the decision to go with the vendor, don’t stop there. Keep assessing them at a minimum of once or twice a year. As we all know, things change, security changes, people come and go. If the company is outsourcing some capabilities to a third party or cloud provider, it still has the responsibility to ensure that this is the right choice of product or service on an ongoing basis.

PLANADIVSER: What security issues should advisers be thinking about in terms of data storage?

Dhawan: Data is a multilayered conversation: how you manage that data, where you store the data, for how long. There are specific requirements for regulated data to be purged after a period of time—that does not always happen. When there are security incidents, one of the things that comes up very, very frequently is that there was data that was retained that should not have been.

When clients think of the cloud, of storage, they automatically think, “Well, it is one of the hyperscalers—[security] is their responsibility.” That may be true from the aspect of the data storage and the mechanisms around it, but it is equally important for people to understand their obligations for protecting their own data. There’s something called a shared responsibility model in the cloud security world. It means that depending on the type of service and data, there are obligations that the cloud provider has, but there are equally and sometimes more obligations that the data owner has.

PLANADVISER: What’s one principle of cybersecurity everyone should be aware of?

Dhawan: Manage your identity and your passwords very carefully. Identity is what I call the front lines of security. Individuals, companies, organizations need to manage that effectively. Be vigilant, because gone are the days that people were coming in cars and robbing homes. Now they use sophisticated techniques to rob banks, cryptocurrencies and things like that. We have to be more careful.