Cybersecurity is a ticking time bomb for 401(k)s

Cybersecurity is a ticking time bomb for 401(k)s
Advisers need to understand the issues, the risks and the roles of each of the parties in the 401(k) food chain that handle data, especially participant data
NOV 06, 2019
In a recent call with a 15,000-employee plan sponsor client that had implemented automatic enrollment, Kathleen Kelly, managing director at Compass Financial Partners, discussed their concerns that a majority of the plan participants had not authenticated their accounts. As a result, their accounts were at a greater risk of hacking, which led to a massive communication campaign. Beyond fees, funds and fiduciary, the normal topics for plan advisers, 401(k) clients are asking about cybersecurity issues. Greg Middleton, director of marketing at Captrust, said that cybersecurity is a "massively growing issue" within adviser RFPs, along with business continuity plans and disaster recovery testing. Record keepers are spending billions to protect their systems and employing a growing army of tech professionals who can fend off attacks on vulnerable participants' accounts. Plan sponsors are increasingly concerned not just about protecting their employees, but also about the fiduciary liability involved. [Recommended video: Protecting against the insider cybersecurity threat]​ So why have advisers been in denial about cybersecurity? What's the risk, what's their role, and how can they best protect their clients — and themselves? Institutional consultants that service larger 401(k) plans have been focused on how record keepers are dealing with cybersecurity risks. That led Spark Institute, the record-keeper industry association, to create a template so that everyone is on the same page. Yet retirement plan advisers serving smaller clients have yet to get the message and are unsure about what they should be asking and even what role they should play. Mr. Middleton noted that advisers can either outsource the evaluation process or hire IT professionals, a luxury that few advisers can afford. [More: Small advisers struggle with cybersecurity demands of regulators]​ Ms. Kelly said that she relies on LPL to provide guidance, which is one of the reasons she stays affiliated with the large broker-dealer. Many advisers have gone pure RIA, leaving them with scant IT resources. Jamie Greenleaf, principal at Cafaro Greenleaf, attends as many webinars as possible while also relying on Spark. More and more plan sponsors are realizing that as digital fiduciaries, their job is to protect participants' account and information. In turn, plan advisers hired as co-fiduciaries need to help clients manage that risk. Yet advisers are reluctant to bring up issues about which the client may know more, which is why the overwhelming majority are still focused on fees, funds and fiduciary. Advisers may not have to become cybersecurity experts or even hire professionals, but they need to understand the issues, the risks and the roles of each of the parties in the 401(k) food chain that handle data, especially participant data. So not only is cybersecurity becoming an essential part of serving defined-contribution plan sponsors, it is an opportunity for advisers to differentiate themselves by dealing with issues that competitors avoid. And advisers who think the job stops with conducting due diligence on record keepers' cybersecurity protocols are sadly mistaken. At a recent conference held by Charles Schwab, a Homeland Security representative noted that hackers are more likely to go after the smaller vendors of big providers, which are much more vulnerable. Examples of such smaller vendors would be advisers and third-party administrators, especially smaller shops that house an incredible amount of plan and participant data that is largely unprotected. Ms. Greenleaf said that she is proactive with clients and brings up the issue with committees eager to learn more about how to protect their employees and the company vulnerable to attacks. "If advisers are not thinking about cybersecurity, they should be," she said. "It's our job to protect clients, especially as co-fiduciaries." [More: Top 10 fiduciary misconceptions among 401(k) plan sponsors]Fred Barstein is founder and CEO of The Retirement Advisor University and The Plan Sponsor University. He is also a contributing editor for InvestmentNews' Retirement Plan Adviser newsletter.

Latest News

A welcome mat into financial planning
A welcome mat into financial planning

The pandemic hit and internships were in chaos but Hannah Moore saw an opportunity.

RIAs need to visit universities to attract students
RIAs need to visit universities to attract students

RIAs need to find universities that offer financial planning programs and sponsor or host events, advisor suggests.

Orion deepens Capital Group alliance with ETF portfolio tie-up
Orion deepens Capital Group alliance with ETF portfolio tie-up

The leading wealth tech provider is helping more advisors access active ETF models through its exclusive partnership.

JPMorgan client who lost $50M amid dementia battle denied trial
JPMorgan client who lost $50M amid dementia battle denied trial

Case of once-wealthy family highlights risks, raises questions on firms' duties to sophisticated investors suffering cognitive decline.

Stifel loses huge $14.2 million arbitration claim linked to star Miami broker
Stifel loses huge $14.2 million arbitration claim linked to star Miami broker

“The evidence in this case was overwhelming,” says an attorney.

SPONSORED Leading through innovation – with Tom Ruggie of Destiny Wealth Partners

Uncover the key initiatives behind Destiny Wealth Partners’ success and how it became one of the fastest growing fee-only RIAs.

SPONSORED Client engagement strategies, growth and retention in the down markets

Key insights from Gabriel Garcia on adapting to demographic shifts and enhancing client experience in a changing market