Analyzing Retirement Industry Cybersecurity Risks and Best Practices

A certain famous bank robber is said to have explained that he robbed banks because ‘that’s where the money is.’ As of the end of 2021, U.S. retirement plans now have a significant amount of money, with more than $37 trillion of assets.
PA-020022 OSC1 Fintech-Cybersecurity_Philip Lindeman-web

Art by Philip Lindeman

News reports in recent years show that criminals are targeting retirement plans, as well as the financial services firms that serve them.

Among those that have been targeted recently, with varying degrees of success, are Alight Solutions, Cetera and Transamerica Retirement Solutions, though they’re far from the only providers to have suffered cyberattacks.

For more stories like this, sign up for the PLANADVISERdash daily newsletter.

In many cases, cybersecurity lapses can be costly to an organization. Case in point, the U.S. Securities and Exchange Commission charged multiple Cetera entities a combined $300,000 in fines and penalties last summer for failures in their cybersecurity policies and procedures that resulted in what the agency described as “email account takeovers,” which exposed the personal information of thousands of customers and clients at each firm. Earlier in 2021, the SEC censured and fined GWFS Equities, a Colorado-based registered broker/dealer and affiliate of Great-West Life & Annuity Insurance Co., $1.5 million. That case involved alleged violations of the federal securities laws governing the filing of Suspicious Activity Reports, also known as SARs.

According to the Investment Company Institute, U.S. retirement plans held $37.4 trillion of investor assets at the end of 2021’s third quarter. Experts say that ocean of money—combined with the accounts’ valuable personal data and the multiple ways of accessing accounts remotely—makes retirement plans a natural target for thieves.

“As retirement plan advisers, we see phishing schemes, ransomware, social engineering attacks, email compromise and wire fraud,” warns David Graver, vice president of Fort Pitt Capital Group in Pittsburgh. “The last one really sticks out when specifically focusing on retirement accounts. Often, emails will be compromised, or online accounts hacked, and unauthorized loans or withdrawals will be requested from the account.”

Simply put, advisers must be wary of cybersecurity risks and do their utmost to ensure clients, and their own firms, do not become victims of increasingly sophisticated and well-equipped cyberthieves.

The DOL Steps In

In early 2021, the U.S. Department of Labor’s Employee Benefits Security Administration issued new cybersecurity guidance for plan sponsors, fiduciaries, participants and recordkeepers. The first publication in the series offered suggestions for plan sponsors on hiring service providers with strong cybersecurity practices. The second publication was a 12-point list of best practices for plan service providers and the sponsors evaluating those providers. A third publication detailed online security practices for plan participants and beneficiaries.

The DOL’s work was the first of its kind and highlights the agency’s greater focus on retirement plan-related security. While the tips might be new information for some in the industry, in reality, the guidance is not groundbreaking, says Jon Meyer, CAPTRUST’s chief technology officer in Raleigh, North Carolina.

“What [the DOL] is recommending is not really any different from widely understood best practices,” Meyer says, “but that doesn’t mean the DOL’s tips don’t carry significant weight.”

He argues that the “entire ecosystem” in the retirement plan industry understands it is their fiduciary duty to make sure, not only that their house is in order, but that every supplier they are working with is capable and worthy of handling sensitive date—especially participant data.

David Levine, principal and co-chair of the plan sponsor practice with Groom Law Group, Chartered, in Washington, D.C., stresses that the DOL’s tips are not binding. Nonetheless, the recommendations figure prominently in his work with clients.

“If I’m involved in a request for a proposals, we will often ask about these standards and we will actually try to incorporate them into contracts,” Levine says. “If I’m representing a plan sponsor, I’ll try to put them in place between the sponsor and the adviser. These standards are being adopted in many different areas.”

The DOL is doing more than just publishing security suggestions, though. Levine says the agency is “digging deeper and moving.” He cites his experience from about two years ago, when the DOL began asking cybersecurity questions. Levine recalls that the agency’s staff members initially asked 10 short questions.

“Now they are constantly evolving,” he says. “I saw one [questionnaire] recently for a client that was four-and-a-half pages long.”

Meyer agrees that the DOL is placing greater emphasis on expanded due diligence. “I think you can run a registered investment adviser practice and not have any technology staff, but you have to be really good at supplier management and focus on how you are making sure that they are strong and capable in the cybersecurity dimension,” Meyer cautions. “Traditionally, that has not been done. People have taken at their word that Company X can provide great services. Now, the DOL is really encouraging parties to dig in and understand if somebody is capable of handling the sensitive data.”

Identifying Exposures

Identifying the cybersecurity exposures that a plan adviser or sponsor might encounter is the first step in eliminating those threats. Dennis Lamm, senior vice president, customer protection, with Fidelity Investments in Merrimack, New Hampshire, suggests that advisers should start by considering the two broad types of risks to plan sponsors and their employees.

These exposures include the risk to their data, in the form of security breaches, and the risk to their accounts, in the form of fraud. 

“The former typically manifests itself through phishing, malware and, increasingly, ransomware,” Lamm says. “The latter is directed more to individual retirement and brokerage accounts and seeks to take over customer accounts by using stolen passwords and compromised email accounts, or mobile phones.”

Levine cites the idea of laying out a “data chain” to see who has access to information and to highlight potentially overlooked exposures. He emphasizes that it’s not sufficient to evaluate only a plan’s 401(k) recordkeeper. For instance, sensitive data can be shared with third-party vendors such as wellness service and managed account providers.

“Every step of the chain has a cybersecurity risk,” Levine warns. “It’s important to look at the entire lineup of your business.”

Meyer stresses the need for an independent third-party to conduct a risk assessment regularly. CAPTRUST conducts an annual risk assessment and also does penetration testing twice each year. The goal of penetration testing is to identify where and how hackers might attack a firm and to determine in an advanced and safe setting how the firm’s defenses would hold up.

The next level of security analysis is “red team” testing. Meyer explains this involves hiring a firm that will work to actively exploit—versus only identifying—potential weaknesses in the organization’s defenses. Red team tests go beyond probing online weaknesses.

“Fraudsters don’t just attack the web,” Meyer says. “They’ll hit the call center, they’ll try faxes and they’ll try mail. They will use every channel to try and make something happen, so it’s not enough to simply just focus on a web application when you are a multichannel contact center and taking requests from participants through a variety of means.”

Building a Best Practices Framework

The sources for this article agreed that cybersecurity is not a one-and-done effort. Cybercrime is global and has no operating hours, Lamm notes, so security efforts must run nonstop. He recommends that advisers look to industry-defined best practices to address exposures internally and with vendors. Along with the DOL’s tips, he also points to the Data Security Reporting and Fraud Controls Best Practices published by the SPARK Institute’s Data Security Oversight Board as a useful resource.

“At a minimum, organizations should comply with established global standards for data security and testing, such as ISO 27001 and the SOC 2,” Lamm adds.

Ben Taylor, senior vice president and head of tax-exempt defined contribution research with Callan Associates in Los Angeles, says that creating a cybersecurity defense is best done with what professionals call a “CSF,” or cybersecurity framework.

Taylor, who serves as vice chairman of the SPARK Data Security Oversight Board , points to frameworks such as those developed by NIST, aka the National Institute of Standards and Technology, and the ISO, or the International Organization for Standardization, which set guidelines for the essential elements of basic security. To assist advisers and clients with understanding the common themes and most important features of the major CSFs, the board developed a set of standards that identify the critical, common features for the industry. 

Working With External Resources

Ultimately, there is a large amount of cybersecurity best-practices guidance available to advisers and sponsors. However, following that guidance can be a challenge if an adviser or plan sponsor lacks the internal expertise to implement the recommendations and evaluate third parties’ efforts.

Conducting due diligence on security measures is challenging, Taylor notes, partly because there is a tangle of legal liability associated with known vulnerabilities and in part because the secrecy of some of the defensive metrics is key to their efficacy.

“As a result, there continues to be a need for clear best practices, and a trusted, third-party standard for audit and review of those security practices,” he says. “There are several options for conducting security audits of key vendors like custodians or recordkeepers, and these include audits like a SOC 2 report, or an agreed-upon procedures audit that follows the SPARK template for the standard best practices. “

Meyer believes smaller organizations can lack the manpower, technical aptitude and persistence to follow a strong cybersecurity process. In response, these firms often hire technology service providers and delegate full responsibility to them.

“That’s only a partial solution,” he cautions. “I would challenge all firms to make sure they have independent oversight and audits of their service providers. If you don’t have that, then I think you end up with holes in your armor. The results are never world-class when you just hire a firm and don’t have anybody checking behind it to make sure that what it’s doing is really secure.”

Virtual Adviser Meetings: Here To Stay or Soon To Go?

Advisers review the main pros and cons of digital meetings and discuss whether or not they will become a permanent fixture.
PA-020022 OSC3 Fintech-Virtual Meetings_Philip Lindeman-web

Art by Philip Lindeman

At the start of the COVID-19 pandemic, many advisers were forced into working from home, using video conferencing tools such as Zoom or Microsoft Teams. This has allowed for easy and almost instant contact with clients across the country.

Now that states and companies are lifting certain pandemic restrictions, advisers are working to understand how virtual meetings will fit into their practices—balancing their needs with those of their clients. Several advisers offered their insight to PLANADVISER as we examine to what extent advisory firms plan to continue to leverage these digital meeting platforms, and whether or not a digital-first meeting approach may be here to stay.

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters.

Jeffrey Petrone, SageView Advisory Group Managing Director

“On the one hand, the virtual platform has allowed us to scale our service model beyond its previous limitations. We are in Florida, and previously, we may have had to drive hundreds of miles just to get to a client’s office. By using virtual platforms, we can simply click ‘join’ or click ‘disconnect,’ which means we can meet our clients or return right back to our desk instantaneously. So, you can imagine how that makes working much more efficient from a service perspective.”

“It has also been a helpful from a prospective standpoint. Initially, I wouldn’t say that plan sponsors were as interested in engaging with a new adviser virtually. Things have changed as the pandemic has progressed. I have lots of my initial conversations with prospective clients virtually now, and I actually do not see any significant difference between meeting for the first time in person or virtually. Of course, if things go well, we always will then try to have a secondary conversation in person, where we can develop that rapport that you get from the in-person conversation. The deeper relationship building occurs when you are sitting across the table from somebody.”

“The other side of this, for me, is that the pandemic has seen, and given rise to, a lot of turn-over within plan committees. You may have a new chief human resources officer come in or a new chief financial officer join up. This turnover has underscored the need to build new relationships with new leaders at client companies who you might have worked with for a long time. If everybody follows this kind of virtual-first model, then you could get to a point where you might not have the same level of relationship—even with established and loyal customers. I think that dynamic could potentially put you at risk.”

“Virtual is definitely a tool that I think will be used part of the time. I do think that the need for in person meetings is always going to be there to some extent, and what we’re trying to do right now is balance those two things against each other. We aim to create the best combination of efficiency and client loyalty and retention.”

Sean Patton, Westminster Consulting Founding Partner, Senior Consultant

“I think it’s certainly here to stay. I don’t know if services will be ‘digital-first,’ as they have been, but I think a lot of it will have to do with the comfort level of clients being willing to meet in person and up until this point, that has been pretty minimal. I think what comes next will be driven by clients.”

“I think we’ll end up at some point, post COVID, in a hybrid meeting world, where half of the meetings will be in person and half of the meetings will be digital or virtual. That mix is how we will engage clients going forward. Nothing replaces being in person. You can’t replace the collaboration and the side-talk that builds relationships with clients, and we certainly want to get back to that. Again, I think a lot of what happens next will be driven by plan sponsors.”

“Virtual meetings will remain attractive in some cases. There is a real ease of use, the ease of being able to dial into a Zoom call no matter where you are. It’s easier to schedule a meeting, especially if you have clients that are moving around and traveling to meetings as well.”

“The challenges are that people still struggle with the technology at times—you know, being muted when trying to say something important or having your connection drop. I also think, when everyone is not in one location working, it can be a challenge as we try to schedule meetings. If clients are working from home and they are doing stuff, picking up kids or stuff that just wasn’t a distraction prior to COVID because they were at their work location, now those things might get in the way.”

Brett Shofner, Work Plan Retire Principal

“In my view, digital-first service is 100% is here to stay. And here’s the dirty secret: advisers would have always loved to do it this way. I’ll give you a perfect example. I have a bunch of clients in the Denver area. We have an office there. I used to have to go out there probably every other month, at minimum, and I would go see a bunch of clients. Well, now, the digital-first model makes everything simpler. In this environment, clients do not view digital meetings as being less professional or less of a commitment from the adviser. Our clients appreciate the efficiency, and they like knowing that they can have some meetings without having to waste time with all the travel or small talk.”

“Are you going to go to digital every day, all the time, and never meet people? No way. If that’s your strategy, that’s not going to work, because you still have to have a human-centered element to what you do. But again, the efficiency of going digital with the very first meeting or for meetings with people that you know well—it’s kind of perfect.”

“Digital first meetings with longtime clients will continue to make a lot of sense. In-person meetings will probably be more important in that middle ground, where maybe the clients don’t know you as well or if there has been turnover on the committee. It’s kind of like anything in life, right? If you’re talking to an old friend, they’re going to be comfortable with you, whether in person or on the phone.

Jon Meyer, CAPTRUST Chief Technology Officer

“Let’s look at this question from two perspectives. The first is the adviser-client perspective, and then the second is the internal view, or the firm-practice perspective. From the adviser-client perspective, I think that there is no doubt that digital meeting technologies, via Zoom or Teams, will continue after things return to normal from a COVID perspective. Sometimes clients don’t want to meet face-to-face; they want to have a quick call.”

“To me, the immediacy of a video conference is a great way to extend the relationship with the adviser and the client, simply because they can see each other. Oftentimes, advisers are very good at looking at subtle clues and people’s expressions that they might be able to see if they were face-to-face. You can’t really do that over the telephone, but I think you can often do that over a video-based meeting solution.”

“I always think clients will have the option to meet their adviser face-to-face, at least in full service advisory models. That will always be there, but for many clients, once that relationship is established, a video conference is really acceptable. It saves time for the client, and it makes the adviser more efficient, so I don’t really see that trend stopping with the decline, hopefully, of COVID.”

“When you look at internal uses and practices, I also think the genie is out of the bottle. I can’t remember the last time I’ve had a meeting with colleagues where it was audio conference only. I think we all have tried to move to a model where we can see our colleagues face-to-face, and so all day long, there are Microsoft Teams meetings that are occurring within our firm, where people are looking at each other and doing a video call or a video conference. It’s just become second nature to us.”

“Our firm has been growing throughout the pandemic. It is very important to us that we maintain this connectivity between colleagues in every office location. I’m really proud to see that technology has played a huge role in keeping people connected during this pandemic.”

Keith Huber, OneDigital Company, Fiduciary Plan Adviser, Retirement Services

“I would say yes, as long as it is still efficient for our clients. For our firm, we would love to continue to leverage digital client service, and we still have the vast majority of our meetings predominantly using Zoom. It’s probably somewhere around 85% to 90% of meetings still on Zoom, and the other 10% to 15% have only gone back to in person at the request of the client.”

“If clients aren’t asking for it, and most of them aren’t, then we really don’t plan on going back in person in the same way we used to. We quickly found that we could do the exact same level of service, a whole lot more efficiently, by doing it on Zoom. We are in Baltimore, but so many of our clients are down in D.C. and Northern Virginia, and I’m sure that even if you haven’t spent much time there, you might have heard just how bad the traffic can be.”

“I think there is one really clear pro and one really clear con with digital-first service. The clear pro is just the efficiency. For those few in-person meetings that I’ve had recently, I felt like I had to arrange my entire day around the meeting. On the other hand, for the past two years, I’ve done four hour-and-a-half meetings in one day. So that that’s a major, major pro.”

“The major con is that this remains, absolutely, a relationship business. For our team in particular, we win and probably keep a lot of our business because we are very personable. We are actually people, we’re a casual office—from how we dress to how we talk. I think that comes through to a lot of people, but I think it’s harder to get that across over Zoom. I guess to sum it up, I don’t think there’s any scenario where you can connect better with somebody doing it virtually.”

Matthew Eickman, Qualified Plan Advisors National Retirement Practice Leader

“The digital or virtual meetings will continue to be a critical ingredient in advisers’ plan service models, and what I expect will happen is that the stronger advisers will not switch to digital as a replacement for everything that they were doing before. Instead, digital meetings will allow them to do slightly less in-person work, which will result in overall more efficient and effective service.”

“Early on in the pandemic, there was this idea—people started throwing around the term ‘low touch economy.’ I never really bought into that, because what I started to see from plan sponsors and from participants is that they weren’t looking for less service when we switched to remote working and virtual conversations. They just wanted to be talked with differently.”

“What we found is that there is a desire for at least as much service as before, and so, for those who really figured out the technology aspect, they can supplement in-person service with digital capabilities. I can supplement in-person service with virtual meetings, and I can actually give my clients 25% to 50% more service. I think that’s the winning formula for advisers moving forward.”

«