Cybersecurity is a ticking time bomb for 401(k)s

Cybersecurity is a ticking time bomb for 401(k)s
Advisers need to understand the issues, the risks and the roles of each of the parties in the 401(k) food chain that handle data, especially participant data
NOV 06, 2019
In a recent call with a 15,000-employee plan sponsor client that had implemented automatic enrollment, Kathleen Kelly, managing director at Compass Financial Partners, discussed their concerns that a majority of the plan participants had not authenticated their accounts. As a result, their accounts were at a greater risk of hacking, which led to a massive communication campaign. Beyond fees, funds and fiduciary, the normal topics for plan advisers, 401(k) clients are asking about cybersecurity issues. Greg Middleton, director of marketing at Captrust, said that cybersecurity is a "massively growing issue" within adviser RFPs, along with business continuity plans and disaster recovery testing. Record keepers are spending billions to protect their systems and employing a growing army of tech professionals who can fend off attacks on vulnerable participants' accounts. Plan sponsors are increasingly concerned not just about protecting their employees, but also about the fiduciary liability involved. [Recommended video: Protecting against the insider cybersecurity threat]​ So why have advisers been in denial about cybersecurity? What's the risk, what's their role, and how can they best protect their clients — and themselves? Institutional consultants that service larger 401(k) plans have been focused on how record keepers are dealing with cybersecurity risks. That led Spark Institute, the record-keeper industry association, to create a template so that everyone is on the same page. Yet retirement plan advisers serving smaller clients have yet to get the message and are unsure about what they should be asking and even what role they should play. Mr. Middleton noted that advisers can either outsource the evaluation process or hire IT professionals, a luxury that few advisers can afford. [More: Small advisers struggle with cybersecurity demands of regulators]​ Ms. Kelly said that she relies on LPL to provide guidance, which is one of the reasons she stays affiliated with the large broker-dealer. Many advisers have gone pure RIA, leaving them with scant IT resources. Jamie Greenleaf, principal at Cafaro Greenleaf, attends as many webinars as possible while also relying on Spark. More and more plan sponsors are realizing that as digital fiduciaries, their job is to protect participants' account and information. In turn, plan advisers hired as co-fiduciaries need to help clients manage that risk. Yet advisers are reluctant to bring up issues about which the client may know more, which is why the overwhelming majority are still focused on fees, funds and fiduciary. Advisers may not have to become cybersecurity experts or even hire professionals, but they need to understand the issues, the risks and the roles of each of the parties in the 401(k) food chain that handle data, especially participant data. So not only is cybersecurity becoming an essential part of serving defined-contribution plan sponsors, it is an opportunity for advisers to differentiate themselves by dealing with issues that competitors avoid. And advisers who think the job stops with conducting due diligence on record keepers' cybersecurity protocols are sadly mistaken. At a recent conference held by Charles Schwab, a Homeland Security representative noted that hackers are more likely to go after the smaller vendors of big providers, which are much more vulnerable. Examples of such smaller vendors would be advisers and third-party administrators, especially smaller shops that house an incredible amount of plan and participant data that is largely unprotected. Ms. Greenleaf said that she is proactive with clients and brings up the issue with committees eager to learn more about how to protect their employees and the company vulnerable to attacks. "If advisers are not thinking about cybersecurity, they should be," she said. "It's our job to protect clients, especially as co-fiduciaries." [More: Top 10 fiduciary misconceptions among 401(k) plan sponsors]Fred Barstein is founder and CEO of The Retirement Advisor University and The Plan Sponsor University. He is also a contributing editor for InvestmentNews' Retirement Plan Adviser newsletter.

Latest News

Retirement conundrum: crippling health care costs or start dumping assets?
Retirement conundrum: crippling health care costs or start dumping assets?

Investors fearing unaffordable healthcare may spend-down assets, study reveals.

Income growth, market performance keeps middle-class wealth on track
Income growth, market performance keeps middle-class wealth on track

Quarterly financial resilience index shows easing fears.

Stocks pause near record high amid tech decline
Stocks pause near record high amid tech decline

Near-term volatility to be expected, says UBS.

Trump dominates Davos without even being there
Trump dominates Davos without even being there

World leaders, finance chiefs try to assess impact on global economy.

Why stubbornly high US Treasury yields are bad news for EMs
Why stubbornly high US Treasury yields are bad news for EMs

Investors less likely to take the risk when US notes offer such good odds.

SPONSORED Three key trends that will drive advisors’ planning in 2025

AssetMark Group CEO explains why the great wealth transfer, succession planning, and personalization will be key for advisors in the new year.

SPONSORED Why RIAs might consider investing more in trust services

A trust delivery model not only increases the value of an advisor and a firm but is also a natural addition to any firm’s succession plan.