Cybersecurity is a ticking time bomb for 401(k)s

Cybersecurity is a ticking time bomb for 401(k)s
Advisers need to understand the issues, the risks and the roles of each of the parties in the 401(k) food chain that handle data, especially participant data
NOV 06, 2019
In a recent call with a 15,000-employee plan sponsor client that had implemented automatic enrollment, Kathleen Kelly, managing director at Compass Financial Partners, discussed their concerns that a majority of the plan participants had not authenticated their accounts. As a result, their accounts were at a greater risk of hacking, which led to a massive communication campaign. Beyond fees, funds and fiduciary, the normal topics for plan advisers, 401(k) clients are asking about cybersecurity issues. Greg Middleton, director of marketing at Captrust, said that cybersecurity is a "massively growing issue" within adviser RFPs, along with business continuity plans and disaster recovery testing. Record keepers are spending billions to protect their systems and employing a growing army of tech professionals who can fend off attacks on vulnerable participants' accounts. Plan sponsors are increasingly concerned not just about protecting their employees, but also about the fiduciary liability involved. [Recommended video: Protecting against the insider cybersecurity threat]​ So why have advisers been in denial about cybersecurity? What's the risk, what's their role, and how can they best protect their clients — and themselves? Institutional consultants that service larger 401(k) plans have been focused on how record keepers are dealing with cybersecurity risks. That led Spark Institute, the record-keeper industry association, to create a template so that everyone is on the same page. Yet retirement plan advisers serving smaller clients have yet to get the message and are unsure about what they should be asking and even what role they should play. Mr. Middleton noted that advisers can either outsource the evaluation process or hire IT professionals, a luxury that few advisers can afford. [More: Small advisers struggle with cybersecurity demands of regulators]​ Ms. Kelly said that she relies on LPL to provide guidance, which is one of the reasons she stays affiliated with the large broker-dealer. Many advisers have gone pure RIA, leaving them with scant IT resources. Jamie Greenleaf, principal at Cafaro Greenleaf, attends as many webinars as possible while also relying on Spark. More and more plan sponsors are realizing that as digital fiduciaries, their job is to protect participants' account and information. In turn, plan advisers hired as co-fiduciaries need to help clients manage that risk. Yet advisers are reluctant to bring up issues about which the client may know more, which is why the overwhelming majority are still focused on fees, funds and fiduciary. Advisers may not have to become cybersecurity experts or even hire professionals, but they need to understand the issues, the risks and the roles of each of the parties in the 401(k) food chain that handle data, especially participant data. So not only is cybersecurity becoming an essential part of serving defined-contribution plan sponsors, it is an opportunity for advisers to differentiate themselves by dealing with issues that competitors avoid. And advisers who think the job stops with conducting due diligence on record keepers' cybersecurity protocols are sadly mistaken. At a recent conference held by Charles Schwab, a Homeland Security representative noted that hackers are more likely to go after the smaller vendors of big providers, which are much more vulnerable. Examples of such smaller vendors would be advisers and third-party administrators, especially smaller shops that house an incredible amount of plan and participant data that is largely unprotected. Ms. Greenleaf said that she is proactive with clients and brings up the issue with committees eager to learn more about how to protect their employees and the company vulnerable to attacks. "If advisers are not thinking about cybersecurity, they should be," she said. "It's our job to protect clients, especially as co-fiduciaries." [More: Top 10 fiduciary misconceptions among 401(k) plan sponsors]Fred Barstein is founder and CEO of The Retirement Advisor University and The Plan Sponsor University. He is also a contributing editor for InvestmentNews' Retirement Plan Adviser newsletter.

Latest News

Texas man says SEC and fund could make him pay twice
Texas man says SEC and fund could make him pay twice

A $141M judgment and a federal asset freeze collide over one shrinking pool

Osaic executives Kristy Britt and Greg Cornick to leave
Osaic executives Kristy Britt and Greg Cornick to leave

The firm's CFO and EVP of Wealth Management Solutions are the latest executives to exit the broker-dealer.

Estate planning becomes a client retention issue for financial advisors, survey finds
Estate planning becomes a client retention issue for financial advisors, survey finds

Clients are saying they would consider switching advisors if another professional offered estate planning services, according to a new Trust & Will survey.

Candidly adds AI agents for Trump Accounts, workplace benefits
Candidly adds AI agents for Trump Accounts, workplace benefits

CEO Laurel Taylor says the fintech's composable AI stack helps workers optimize dollars across Trump Accounts, 529s, 401(k)s, and other employee benefits.

BMO adds three advisors in Dallas amid Y'all Street wealth boom
BMO adds three advisors in Dallas amid Y'all Street wealth boom

The bank has swiped three private banking veterans from BNY as the city climbs the ranks of America's fastest-growing wealth hubs.

SPONSORED Who builds the income when the pension disappears?

Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income

SPONSORED Why direct indexing stopped being optional

Direct indexing is on pace to outgrow ETFs and mutual funds. Northern Trust's Ken Lassner explains why the advisors who get it wish they had started sooner.