401(k) plan advisers take more of an interest in record keepers' cybersecurity practices

Clients also have heightened concerns about securing the personal data of their employees

Jul 18, 2016 @ 12:55 pm

By Greg Iacurci

In an era when costly cyberattacks and data breaches are becoming more common, 401(k) plan advisers are beginning to scrutinize data-security practices at record-keeping firms.

“It's certainly something we haven't requested detailed information on in the past,” according to Sean Deviney, head of the retirement plan department at Provenance Wealth Advisors. “But as everything becomes more and more paperless, and sponsors outsource more of the plan services to the vendor and rely on them to protect the data of their employees, we're certainly looking closer at that.”

Record keepers are a repository of sensitive personal information: Social Security numbers, date of birth, addresses, as well as a plan's 401(k) account and transactional information, according to Tim Rouse, executive director of The SPARK Institute Inc., a retirement industry trade group comprised of record keepers and consultants.

Hackers also could gain access to an employee's designated beneficiary's personal information, said Aaron Pottichen, principal and retirement services practice leader at CLS Partners.

While there don't seem to be any publicized data-security failures among major record-keeping firms, a slew of major corporations such as JPMorgan Chase, Anthem, Staples, Home Depot and Target have suffered breaches in other parts of their business.

“The threat of a breach is significant,” said Jeff Snyder, vice president and senior consultant at Cammack Retirement Group. “It's bound to happen in the retirement space.”

Information on record keepers' data-security protocol and protection measures is becoming more prominent in requests for proposal with clients, Mr. Snyder said. Some items being asked about: what type of data center a record keeper has, how protected it is, how often data is backed up, who has access to the data and user information, and specific procedures if there is a data breach.

Mr. Snyder and his team also conduct more due diligence onsite at record keepers' data centers.

Mr. Deviney said he is currently conducting two RFPs for clients, each with about $100 million in 401(k) plan assets, that include detailed questions on data security.

Larger plans such as these typically have a more involved RFP process than that for plans with a smaller asset base, and these plans tend to have more sophisticated committees interested in topics such as cybersecurity, Mr. Deviney said. However, it's a trend that will likely hit the small market as well.

“I think everything in this industry trickles downstream,” Mr. Deviney said.

The SPARK Institute is undertaking an initiative to develop industry standards and best practices around data security. The end goal is to enlist a third-party entity that could validate that record keepers are compliant with a particular set of standards and well protected against a breach, Mr. Rouse said.

Earning a certification from a third party would aim to satisfy consultants', advisers' and their clients' requirements around data security, and therefore limit the number of security questions necessary during an RFP.

The concern is that answers to questions on one-off RFPs make it into the public sphere and end up helping hackers compromise record keepers' systems, Mr. Rouse said. Data security questions in RFPs used to be fairly limited, but now can occupy 12-13 pages of the document, Mr. Rouse said.

“I think it's something advisers need to address,” Mr. Pottichen said.

Although the extent to which a conversation about data security is had depends partly on a client's interest in it, by not broaching the topic an adviser “could potentially be leaving a very big hole in a recommendation” to a client, Mr. Pottichen said.

0
Comments

What do you think?

View comments

Recommended for you

RIA Data Center

Use InvestmentNews' RIA Data Center to filter and find key information on over 1,400 fee-only registered investment advisory firms.

Rank RIAs by

Upcoming Event

Oct 09

Conference

Diversity & Inclusion Awards

Attend the industry’s first event celebrating diversity and inclusion as well as recognizing those who are leading the financial services profession in this important endeavor. Join InvestmentNews, as we strive to raise awareness, educate... Learn more

Featured video

INTV

The bizarro world of DOL and SEC rule supporters

Managing editor Christina Nelson talks with senior reporter Mark Schoeff Jr. about why groups that supported the Labor Department's fiduciary rule oppose much of the SEC advice package, and vice versa.

Latest news & opinion

10 least affordable U.S. cities for renters

Based on average salaries and rents, here are the least affordable U.S. cities for renters, according to businessstudent.com.

10 countries where your clients should consider retiring

These countries offer the greatest security for their retirees, according to the 2018 Natixis Global Retirement Index.

10 most affordable U.S. cities for renters

Here are the U.S. cities that are most affordable for renters, according to Business Student.com, which compared the cost of rent to average salaries.

9 best - new - financial adviser jokes

Scroll through for nine new financial adviser laughs.

Fidelity CEO says zero-fee funds aimed at expanding its universe

Johnson says way to prosper in financial services is 'by building relationships.'

X

Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting investmentnews.com? It'll help us continue to serve you.

Yes, show me how to whitelist investmentnews.com

Ad blocker detected. Please whitelist us or give premium a try.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print