Battening Down the Hatches Against a Data Breach

Retirement plan advisers and plan sponsors share some concerns about data security, but advisers are especially worried.

An emerging area of concern for plan advisers might just be the actual data of the retirement plan itself, which could shape up to be a compliance issue for the plan sponsors they support. And of course plan advisers themselves hold a great deal of sensitive data on their own clients.

Both FINRA and the Securities and Exchange Commission (SEC) are worried about the amount of personal data an adviser has, notes Gary Sutherland, chief executive of North American Professional Liability Insurance Agency. “They think advisers will be a handy target for people to steal identity,” Sutherland says, “because they tend to be smaller firms with less resources to protect the data.”

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters.

Data security is an obligation of all who hold sensitive information, says Marcy Supovitz, principal at Boulay Donnelly & Supovitz Consulting Group. “Even without specific DOL (Department of Labor) guidance, advisers need to be vigilant in protecting plan and participant data as part of their general fiduciary responsibility to clients,” she tells PLANADVISER, noting that cybersecurity governance is a top business issue for her firm.

After issuing a detailed checklist of what advisory firms should provide in terms of data protection in February, the SEC brought out additional steps for firms to address cybersecurity risk. “We viewed that checklist as an opportunity to assess our procedures and, equally important, to re-educate our employees about cybersecurity, as firms are only as safe as their weakest link,” Supovitz says.

Supovitz raises another issue for advisers, sometimes overlooked, that arises when a mutual fund owns shares in a company that has been the victim of a cybersecurity attack. “Prudence may call for removing the fund from the plan’s investment lineup,” she says, “especially if the fund has a large weighting in the victim company.”

NEXT: Keeping tabs on sensitive client data.

Tracking devices on laptops are vital and highly affordable, Sutherland says. “Advisers can remotely wipe out data if it is exposed,” he says, “and three years of coverage is about $100 per laptop.” He recommends installing the software at the time of purchase, so that protection and tracking kick in immediately.

Sutherland recalls an insured client who left his laptop on a train one Friday. He notified the train authorities and was told the next day that the laptop had been located. But when he went to pick it up on Monday, it was gone. Tracking would have helped the client, he says, but the more important piece is that once the computer is used to go online, it sends a signal to tell the owner to eliminate the data. “Laptops may be password-protected,” Sutherland says, “but in the same carrying case as the computer is a sticky note with your log-on and password name.”

When it comes to data protection for a retirement plan, two areas stand out, according to Supovitz. “First, when plan sponsors engage us for a vendor search, we address cybersecurity risks early on in the selection process,” she says. In the request for proposal (RFP) process, Supovitz evaluates the data security procedures of every vendor.

Critical points to compare include how they seal off access to confidential information from intruders and how they monitor cybersecurity procedures on an ongoing basis, notes Supovitz. Plan sponsors can engage the services of an expert to help vet providers, or turn to someone internally on their own IT staff.

“Security should be a pretty significant area of focus for all data that plan sponsors house,” says Adam Pozek, a partner at DWC ERISA Consultants. From Social Security numbers to home addresses and even direct access to payroll, in some cases, the data transcends any one benefit plan, Pozek tells PLANADVISER.

NEXT: The plan sponsor’s security is only effective if the provider’s security is strong.

Be aware of the information chain. “If a plan sponsor has security measures in place but the service provider is lax, their data can still be at risk, making data security a critical part of any vetting process, whether for payroll or a benefits plan,” Pozek says.

Sutherland says plan sponsor due diligence on all providers includes asking questions on the provider’s own history of data loss, whether they have insurance to cover a breach and what steps they will take to protect the identity of the plan sponsor as well as the plan sponsor’s employees.

Beyond looking into a provider’s actual data systems, Sutherland recommends that a vendor conduct background checks on new hires and change passwords frequently so they can’t be saved (every 60 days is recommended).

“Plan sponsors will want the TPA and recordkeeper to back up systems at least weekly,” Sutherland advises. Daily backing up is preferable, with redundant systems available. “Typically, if a TPA’s system is hacked into, the provider can move into another system in the Cloud so they can be up and running within hours, not days.”

Pozek says he would ask whether the provider has a specific data security policy for the way its own employees handle data, a question that can generate several more lines of inquiry. “If an employee accesses data through a smartphone, mobile device or laptop, are those devices encrypted or password protected?” Pozek asks. “What type of security is in place? What steps does the organization take to make sure its employees understand the importance of protecting sensitive data? For example, do they understand that many states have restrictions against emailing Social Security numbers over the Internet without password protection or encryption?”

NEXT: The costs of a data breach.

A data breach can generate different costs, Sutherland points out, such as the first-party costs incurred  by the recordkeeper and TPA to notify people of a breach or compromise. “The recordkeeper or TPA might need to bring in a lawyer to handle the notification process or, in some cases, public relations people and/or IT forensics,” he says. “Third-party costs appear when the data they hold belongs to one of their clients and the client suffers damages as a result of the data breach. If the plan sponsor gets a letter saying all their employee data was breached, costs could also include new credit monitoring as well as any potential damages to the employees (third party)

The typical cost to manage someone whose data has been breached is about $150 per person. “At 800 employees, for example,” Sutherland says, “that $150 for each can add up pretty quickly.”

While there ERISA has no specific jurisdiction over plan data, in Pozek’s opinion, all businesses should have a written policy on data security. “It goes into the prudent process selection,” he says. “They have to evaluate on different criteria.” Plan sponsors that don’t feel comfortable reviewing procedures and vendors should seek outside help from their own IT department, an attorney or investment adviser: “Anyone qualified to look at the response and provide guidance.”

The need to pay attention to data security transcends any benefit plan or company size, Pozek says, noting that most breaches are done by robots trained to look for holes they can take advantage of. “Anyone who would use the data for nefarious purposes doesn’t care how big or small you are,” he says.

Why Your Clients Should Institutionalize Their DC Plans

The “retailization” of 401(k)s and other plan types has sold participants short, experts say.

If a road map is available, why make up a route as you go along, hoping you’ll find the way?

According to Holly Verdeyen, director of defined contribution investments at Russell Investments, one reason individuals favor the defined benefit (DB) plan model is that it offers a road map—a charted route to greater retirement success led by the employer. The interest in DB plans is more than psychological; virtually every year DB plans outdo their defined contribution plan (DC) counterparts in terms of investment returns and success generating future retirement income.

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters.

The Callan DC Index, for example, show DB plans outdo their DC counterparts by about 1% nearly every year. As Verdeyen explains, DB plans often benefit from greater access to institutionally priced investments and longer-term thinking that helps drive down costs. She feels retirement plan advisers can deliver a lot of value by helping DC clients think more like their DB plan colleagues. With their knowledge of relevant regulations, their objective professional eye, and a long-range view, plan advisers are in an ideal position to help these sponsors understand what lies ahead.

Another advantage, says Michael Swann, director of DC strategy for SEI Investments Co., is that advisers have the opportunity to build long-term relationships with plan committee members, helping them build that all-important road map for retirement.

DC plans can often be improved by realizing what pressures most often drive them off course. In contrast to the historically-tested principles behind defined benefit plans, many defined contribution plans have been shaped by retail investment marketplace trends and forces beyond the control of employers and employees.

“DC plans actually began as institutional plans, but during the tech boom of the late 1990s grew retail-focused,” says Josh Cohen, managing director, head of institutional defined contribution at Russell Investments, in his April Insights & Research Newsletter. Plans began “offering participants mutual funds they recognized from TV commercials,” he says.

NEXT: Getting down to work.

“The [retail] mutual fund industry had a great degree of influence on how DC plans were built in the decades leading up to today,” Verdeyen agrees. This became especially clear when the number of fund offerings exploded and defined contribution plans started daily valuation of participant accounts. Participants could now find their funds in the paper and monitor and manage them daily, which “led to some sub-optimal participant behaviors,” she notes.

It’s an issue that is still unfolding—with thought leaders debating the wisdom of offering actively managed single asset-class funds to workplace retirement savers. Investment lineups have drifted in a meaningful way towards passively managed funds and multi-asset class portfolios. Active or passive, most agree participants are ill-equipped to build efficient portfolios from the ground up.

But institutionalization does not mean a full move to passive investments. “It would be very rare to see a DB plan or charitable trust use 100% passive management,” Verdeyen says, calling that “a phenomenon singular to defined contribution plans.” Defined benefit plans “are going to use a thought-out mix of active and passive for different asset classes and maybe even combine them in the same asset class.”

Such thinking typifies a main difference between the two types of plans and shows advisers an entry point for getting to work. They first need to broaden the plan sponsor’s thinking in these areas.

NEXT: Advisers’ specific role.

A recent report from the Defined Contribution Institutional Investment Association (DCIIA) argues DC plan sponsors should carry a DB mindset across their operations. In terms of “institutionalizing” DC investments, this will mean broadening access to traditional and alternative asset classes, with both passive and active management of each, and potentially the unbundling of different investment services, Verdeyen says.

The DCIIA’s study “Institutionalizing DC Plans: Reasons Why and Methods How” breaks down the institutionalization process step by step, noting that by nature of the breadth of changes involved, implementation will take a while. In a later paper, which highlights the fiduciary’s role, plan sponsors are warned to seek help from an adviser throughout.

In the preliminary stage, advisers can be especially helpful for ensuring the sponsor adjusts all governing plan documents such as the investment policy statement (IPS) before implementing changes, as well as the summary plan description (SPD), educational materials and participant communications to explain what is being done.

From there on, the adviser can help keep the plan sponsor focused on its ultimate goal—maintaining an effective plan and proper plan governance, Swann says. “Institutionalization doesn’t mean the plan sponsor has removed all liability. [Plan] advisers … can help their clients remain engaged with fulfilling their fiduciary duties, and stay up to date with changes in regulations, the marketplace and industry best practices,” he says.

To foster this, “advisers can give independent evaluation when it’s needed,” he says. Additionally, they can aid in choosing investment solutions by comparing the track record and experience of fiduciary managers, he says.

«