Ever Vigilant

Joe Brummel and his colleagues at Strategic Retirement Partners (SRP), in Minneapolis, were already checking as to recordkeepers’ data-security policies and procedures.

But the need for such provisions hit home for the SRP managing director when, two years ago, someone tried to make a fraudulent $330,000 withdrawal from an account in a client’s plan. “Fortunately, it was caught before the withdrawal was made,” Brummel says. The request had been notarized and dated, but the plan’s key sponsor-contact happened to recall that the employee named in the request had been out of the state on that day. “Everything looked legit, but the contact really paid attention, because she’s diligent,” he says. That incident led the sponsor to ask Brummel what capabilities the plan’s recordkeeper and third-party administrator (TPA) had to stop cybercrimes against participant accounts. “We were asking recordkeepers questions about data security before, but this really brought it to the forefront and made it a lot more real,” he says.

Cybersecurity threats, such as making fraudulent withdrawals or stealing participant data and using it for identity theft, have become a real issue for retirement plans. “All the cybersecurity issues with the banks and credit card companies have now reached the retirement plan industry,” says Jim Sampson, director, retirement advisory services at Hilb Group Retirement Services in Warwick, Rhode Island. “There are large pockets of money in these accounts: It’s almost like robbing a bank, to ‘get inside’ a 401(k) plan. Often, there are millions and millions of dollars, just sitting there.”

Sponsors have become aware of the cybersecurity threat and need their adviser’s help to address it. “It’s rising to the top of plan sponsors’ concerns fairly quickly,” says Christopher Kulick, a principal at CAPTRUST in Doylestown, Pennsylvania. “As advisers, we are constantly challenged to evolve, and this is a newer area for us. I don’t hold myself out to be an IT [information technology] guru, but I’m able to support my clients by leveraging our internal provider-research group or our IT staff and their expertise. For advisers, it’s having the right people internally, asking recordkeepers the right questions, and then distilling the information down so it will be helpful to plan sponsors in making good decisions about cybersecurity.”

Here we describe three ways that advisers can help sponsors tighten their cybersecurity.

The RFP: Dig Deeper

All major recordkeepers have gone to great lengths to protect account holders, Sampson says. “But some have gone above and beyond, versus the others.” The search process can help reveal the distinctions. For example, he says one recordkeeper has an “ethical hacking team” within the company. “They spend all day, every day, trying to hack into the recordkeeper’s system internally, to see if there are any vulnerabilities, so they can fix them,” he says.

To evaluate a recordkeeper’s data security first requires understanding the fundamentals of how that provider’s technology works, Kulick says. For one thing, is the system mainframe-based or cloud-based? “Then, it’s going a step further and looking at, what types of controls does the recordkeeper have in place? What is it doing proactively to address the threats coming in? And it’s important to understand what would happen if somebody’s account is breached: What would the provider do in response? Also, are its security programs adaptable as cybersecurity threats change, or does it have an inflexible framework?”

Attorney Brenna Clark says a section on data security in a request for proposals (RFP) can start by asking a few general questions. “You can say, ‘Tell us about your cybersecurity system. What steps have you taken to stay ahead of threats?’” says Clark, a partner at Eversheds Sutherland LLP in Atlanta. “We like to encourage the recordkeeper to provide detailed explanations, especially if a plan sponsor is not familiar with cybersecurity issues.”

Subsequent questions can get more specific, and Clark lists some to consider asking: What specific steps will the provider take if there is a breach? How will the provider notify the sponsor if a breach happens? What financial liability is the provider willing to take on if a breach occurs? How often will the provider report on its cybersecurity efforts? What cybersecurity insurance does the recordkeeper have? Does the recordkeeper limit the number of its own personnel with access to participants’ personal data? What background checks does the provider do on staff members who will have access to participant data? And what training does the provider do for its staff on data security?

Sampson sees the varying cybersecurity guarantees that recordkeepers have adopted as an important differentiator. “There are different levels of guarantees among the recordkeepers: It all depends on the cybersecurity insurance the recordkeeper has,” he says. “Some will replace the entire amount taken from the participant’s account, and some also will replace any gain on the investment while the money is out of the account. So ask them, ‘Do you make the participant whole? If there’s a breach or a hack and the employee has his or her money taken out, do you replace it in full?’”

If the plan fiduciary seeking a recordkeeper has its own cybersecurity standards, it should reveal them in the RFP, advises Matthew Hawes, a partner at law firm Morgan, Lewis & Bockius LLP in Pittsburgh. “One of the key elements is to make sure you engage very early in the process with the potential recordkeeper, to get in front of them with the plan fiduciary’s preferred data-security provisions,” he says. “Making those provisions part of the process can be a key differentiator in making a decision on which recordkeeper to choose.”

The Service Agreement: Spell It Out

The service agreement can help protect a plan and its participants by clearly spelling out the recordkeeper’s cybersecurity obligations. “It really comes down to, what is the provider willing to put down in writing, with respect to its security measures?” Kulick says.

It helps to define cybersecurity parameters in the contract, Hawes says. Clarify what data falls under the category of “confidential and protected information,” for instance. “The definitions can vary greatly among recordkeepers,” he says. “There’s a tension between what a plan fiduciary might want to have considered to be confidential information and what a provider might want. Often, plan fiduciaries will try to negotiate for as broad of a definition as possible.”

Hawes suggests defining what falls under the category of “security breach.” As he explains, “Ultimately, this means defining what would constitute a breach, such that the recordkeeper needs to take action, and defining the specific obligations of the recordkeeper following the breach.”

It is important to spell out the recordkeeper’s guarantee if a breach does occur, Brummel agrees. “In what situations does the guarantee apply? And what requirements does a participant have to meet to be reimbursed for a loss, such as there being a statute of limitations?” He says some recordkeepers stipulate that, to get reimbursed, a participant has to have registered his account online prior to the cybercrime. Another common stipulation: A participant has to notify the recordkeeper within a “reasonable” amount of time of a suspected cybercrime. One major recordkeeper has a 90-day limit, he says.

The agreement also can specify what ongoing cybersecurity reporting the provider will give a sponsor. Additionally, Clark suggests that the sponsor and recordkeeper agree to periodically revisit provisions, as the nature of cyber threats shifts. Because technology and the sophistication of attacks constantly evolve, what works in an agreement now might not work two years from now, she observes.

Monitoring: Keep an Eye On It

Fiduciaries also should monitor a recordkeeper’s data security on an ongoing basis, Hawes says. “Fiduciaries typically don’t run their own tests on a recordkeeper’s cybersecurity. But it’s important to understand what tests the recordkeeper is running and to ask questions of the recordkeeper about it,” he says. A service agreement may specify the security tests and audits that a provider will undergo on a regular basis. “Oversight can be as basic as making sure the cybersecurity commitments the recordkeeper made in the contract have been kept,” he says.

For plan advisers, monitoring is an issue of keeping up with changing data-security standards and understanding a recordkeeper’s current cybersecurity processes, Sampson says. “And I’d like to know, what are the results each year of the recordkeeper’s cybersecurity self-testing?” He envisions such findings covered as part of the standard year-end annual client-review package and covering points such as the number of tests the recordkeeper did internally during the year and the potential issues it saw.

“Many of these companies have spent an incredible amount of money beefing up their cybersecurity,” he observes. “It’s surprising to me that more recordkeepers haven’t created reporting like this, to use as a marketing and sales tool. But now they’re getting to the point where they can say, ‘We’ve had these protections in place for two years, or five years. We’ve got the data that we can report on to sponsors.’” He hopes to see data-security reporting presented in a way that is simple enough for sponsors without technology expertise to understand.

Some recordkeepers also have an audit done of their own cybersecurity, and Kulick notes it is helpful, as an adviser, to see reporting on that. “The providers should be relying on a qualified third party to come in and identify weaknesses in their system. And if weaknesses are identified, the report should discuss how they were resolved,” he says.

While such audits are not yet an industry standard, Brummel anticipates that increasingly recordkeepers will have an audit done that complies with the American Institute of Certified Public Accountants (AICPA) SOC 2® reporting standards. “No plan sponsor or adviser has the time and the expertise to go fully through all aspects of a recordkeeper’s cybersecurity themselves,” he says. “SOC 2 will give you an independent review of the provider’s practices.” Getting that reporting regularly could help a sponsor meet its fiduciary responsibility to protect participants, he adds.

Some advisory firms such as CAPTRUST also now proactively send recordkeepers a cybersecurity questionnaire, to help the firm with monitoring. “We have recently begun requesting reporting on a plan-by-plan basis,” Kulick says. “And our provider due-diligence team regularly sends recordkeepers questionnaires that aren’t client-specific.” The questionnaires ask things such as what cybersecurity improvements and enhancements the recordkeeper has made since the last questionnaire.

Strategic Retirement Partners has sent this type of questionnaire to providers for the past two years and plans to do it again this year. “It’s a list of questions that helps us document an overview of their cybersecurity and privacy policies,” Brummel says. For example, it asks if the recordkeeper has experienced any security breaches in the past year and, if so, to explain what happened.

“Plan sponsors have an obligation to try to protect participants’ accounts, and clients rely on us as their adviser to help them fulfill their responsibilities,” he says.

For Brummel, the annual questionnaire also helps keep him updated on data-security issues. “Keep in mind, the recordkeepers can’t tell us everything. If they tell us all the details about their data-security system, essentially they’ve given us their security ‘code,’” he points out. “But I don’t know how anyone could keep up with this issue without getting this information. I don’t consider myself a technology expert, but I need to know enough to ask the right questions.”

Art by Ryan Peltier