Are You Leaving the Door Open?

Advisers may be overlooking points of entry to their data—what they can do to prevent cyber theft.
Reported by Judy Ward

If you have not gotten serious about mitigating cybersecurity risks at your advisory practice, you should.

“Advisory firms really need to treat information security formally,” says Chief Technology Officer Jon Meyer of CAPTRUST in Raleigh, North Carolina. “They need to develop an information security policy, and procedures and processes to address any risks.

“The way you get better at this game,” Meyer continues, “is to have policies and procedures in place, to do regular security risk assessments, and to address the gaps identified in those assessments.” Many advisory firms “never really go down the road of doing a risk assessment and then developing formal policies and procedures to address those issues.”


“It’s very important to do an incident response plan. It needs to spell out: ‘If there is a data breach, what do we do?’”



With lawsuits over retirement plan cybersecurity breaches beginning to crop up, plan advisers could be vulnerable to future legal action. “The thing that could be surprising to a financial advisory firm that suffers a breach is, you are the victim of a crime here. But within a very short period of time, the sharks[—i.e., plaintiffs’ attorneys—]are circling, and they’re looking for claims to assert,” says Kristy Brown, a partner at law firm Alston & Bird LLP in Atlanta. “They aren’t going to sue the cybercriminal, who is likely somewhere overseas and whom they can’t even find.

There is vulnerability and risk for advisers, and it underscores the need to be proactive in taking steps to mitigate the risk.”

Lack of Guidance

There are currently no laws or regulations that explain what specific responsibilities advisers have for protecting participants’ data, Brown says. So far, most of the legal actions filed against other kinds of companies “focus on the idea of taking ‘reasonable security measures,’” she says. “That’s fuzzy, and fuzzy is hard for companies. It’s not as simple as looking at a one-size-fits-all list of requirements and making sure that is satisfied.”

The Employee Retirement Income Security Act (ERISA) nowhere spells out the responsibilities that fiduciaries have for participants’ data security, agrees Edward Redder, a partner in law firm Thompson Hine in Columbus, Ohio. “That’s one of the frustrating points that many practitioners have raised with the DOL [Department of Labor]: There aren’t any clear rules on what their duties and responsibilities are,” he says.

However, ERISA’s broader principles indirectly provide guidance on cybersecurity. “It’s all about process under ERISA,” Redder says. “ERISA doesn’t require that the results always end up where we’d like them to. But it does require having a prudent process in place and following it.”

Financial advisers also are subject to the Securities and Exchange Commission (SEC)’s Regulation S-P, which requires that advisers have “reasonably designed” cybersecurity policies, says Craig Foster, also a partner at Thompson Hine in Columbus. And state laws could potentially come into play in a lawsuit. “Many states have ‘deceptive trade practices’ acts, and those often provide for civil penalties,” he says. “So advisers could have some vulnerability there.”

An amended complaint in a lawsuit filed last year by an Abbott Laboratories Stock Retirement Plan participant—alleging that protocol failures led to a $245,000 theft from her account—makes a claim against the plan’s recordkeeper based on deceptive trade practices, Redder says. “That’s an area that plaintiffs’ attorneys are exploring,” he says. “Does ERISA pre-empt those state laws? That is still an open question.”

Lay the Foundation

Advisory firm PlanPilot in Chicago has developed a cybersecurity policy with protocols including how its staff handles participant data. “In essence, it’s like having an investment policy statement [IPS],” says Managing Director Mark Olsen. “It’s all about putting procedures in place and documenting that you are following those procedures on an ongoing basis.”

A cybersecurity policy should specify the steps an advisory firm takes to protect participant data. “First and foremost, the policy should limit data access to the people who actually need the data,” says Chief Compliance Officer Sharina Merid of SageView Advisory Group in Newport Beach, California. “You need to keep that information closely held—with the people who need to know that information. Any participant data we have, we hold onto it tightly and secure it as much as possible.”


“Companies have a tendency to collect data they may not need now but they think could be useful in the future. That’s really just amplifying the risk.”

 



The policy also should lay out the plan for what happens if a sponsor has reason to believe a third party successfully entered the company system without authorization. “It’s very important to do an incident response plan,” Brown notes. “It needs to spell out: ‘If there is a data breach, what do we do?’ You can’t start to figure that out once something happens, because you have to act fast to identify where the hackers have been in your system, and confirm they’re no longer there.” You also need to have an incident response team: Identify who is on that team and what role each person would play. Having a playbook and a cast of characters is really critical, if something happens.”

And while technology plays a crucial role in cybersecurity, she says, there is also a huge human factor. “There’s definitely a training component, to make sure a firm’s employees keep data security top of mind and understand the various forms of intrusion they could encounter.”

All PlanPilot employees receive education. “Everyone who works here is trained on cybersecurity, whether they’re in an area that needs access to sensitive participant data or not,” Olsen says. “Even interns are trained—not because they’re handling sensitive data, but because, if they happen to pick up the phone when a participant calls, we want to be super-sure they know how to respond.”

CAPTRUST trains new employees on its cybersecurity processes, as well as educating all employees annually. “We have an information security policy that every new employee has to read and sign off on, acknowledging that he or she has read it,” Meyer says. “We also have initial cybersecurity training we do online.” Asked what points he wants new colleagues to take away from that training, he says, “Clearly, that we take it seriously. There is probably no greater risk to our firm than a human mistake leading to someone’s assets being stolen and to a loss of a client’s confidence in us.

“We want them to be thoughtful in the actions they take, such as the emails they open and the emails they send,” Meyer continues. “We also want them to be careful about keeping a clean desk and about what documents they print out versus looking at them electronically. And we want them to understand, if they’re in a position to facilitate the transfer of money for clients, that they have to be careful with all of the procedures that relate to that transfer.”

Clean House

As to key ongoing steps to prevent data breaches, Brown suggests that a firm have in its system only the participant data it currently needs in order to do its work for the client. “Companies have a tendency to collect data they may not need now but that they think could be useful in the future,” she says. “That’s really just amplifying the risk: The more sensitive data you have on your server, the more risk you have if there’s an intrusion.”

CAPTRUST keeps little individual participant data in its system, Meyer says. “There are actually very few instances when we need [it] to do our work,” he says. “I think any service provider working with retirement plans should collect participant data only when it is absolutely required for doing their job.”

Lockton Retirement Services in Kansas City, Missouri, has little individual participant data in its system, says Chief Administrative and Compliance Officer Karen Prange. “Most of the time, if we’re analyzing a plan’s participation or its participants’ investment allocations, we don’t really need individual participant data,” she says. “If we do, we minimize what we ask the recordkeeper for. We generally can do an analysis without having information such as participants’ Social Security number, their address or even their name. Then we eliminate that data from our system when it’s no longer relevant to doing our work.”

Some advisory firms, with cybercrime prevention in mind, have no provision for letting participants withdraw money from their account. “We don’t handle any of those types of transactions, such as loan requests or distribution requests,” Olsen says. “If a participant asks about it, we’re trained to provide only contact information for that plan’s recordkeeper, because that’s public information.”

SageView, for another firm, does not process loan or withdrawal requests, Merid says. The practice has a protocol that staff must follow if a participant asks about them. “If a participant contacts SageView for assistance with a loan or withdrawal, we always refer the person back to the recordkeeper,” she says.

If an advisory firm does need individual participant data to do its work, sources recommend carefully limiting which employees may see it. “If that data is absolutely required to do our job, then we minimize the number of people who have access to it,” Prange says. If Lockton’s Chicago office serves a plan client, for example, only staff members there who work directly with that plan can access the data.

To begin getting access to specific data in SageView’s system, an employee must go through an approval process with the advisory firm’s compliance department. “We have people who are identified as having access to specific client information, and we regularly look at that list closely, to limit the number of people,” Merid says. “We’re asking, does this person still need access to that information? If he does, we keep that person on the list. If he doesn’t, we rescind his access to that data.”

Advisory firms need a strong, role-based access program to determine who gets access to which data, Meyer advises. That starts with identifying all of the different role types among an advisory firm’s staff. Then it requires determining which specific roles should have access to which data to fulfill job duties. “It’s not magic; it’s just detailed work,” he says.

CAPTRUST’s cybersecurity policies include a recurring user-access review process, Meyer says. “We review role-based access quarterly,” he says. The firm uses the identity-security platform from SailPoint Technologies Holdings Inc. Each quarter, the program sends the previous quarter’s access data to managers and asks them to review it for their area and sign off that they saw nothing problematic or in need of change.

For PlanPilot, the mechanics of cybersecurity also include a protocol for accepting participant data sent by a sponsor client. The advisory firm will accept the data only if it was transmitted in an encrypted email and in a “read only” format: It accepts no files in a format that would allow PlanPilot to edit. “Our protocol is that we can only view participant data—we can’t change it,” Olsen says. Any file not meeting those specifications will be deleted by the staff member who receives it; he then asks the client to resubmit it properly.

Stay Proactive

Companies need a regular scan of their system to detect potential cybersecurity problems, says John Busch, president of Busch Data Management in Anaheim, California. The firm consults with SageView on its cybersecurity. “This is ‘policing’ the data,” he says. “You need to make sure that all the proper rules of ‘hygiene’ are actually being followed.”

Doing so includes proactively ascertaining that a firm is storing nothing but the personally identifiable information (PII) it needs to fulfill current duties. “Any PII you receive, you have to treat as ‘toxic waste,’ and we are always scanning SageView’s system and looking for toxic waste,” Busch says. It could slip an adviser’s mind to delete stored PII from a previous client’s project, and frequent system scans help minimize that risk. “If you don’t know that you have the data, you can’t correct it,” he says. “Anytime personal data is on the SageView system that doesn’t need to be there, we purge it.”

It is also important to proactively scan an advisory firm’s system for potentially problematic activity. “You have to be in front of the threats,” Busch says. His company uses artificial intelligence (AI) technology to frequently look for abnormal activities in SageView’s system—e.g., if someone has tried to log in from an unusual international location. “We’re always looking for what’s out of place,” he says. “The reality is, if you’re not looking for it, you’re never going to find it.”

Lockton Retirement Services regularly apprises staff members about current cybersecurity threats. It sends them compliance updates and includes cybersecurity news in its Workplace system, an internal-communications tool for businesses, provided by Facebook, that Lockton began using last year. “It works well to keep our employees informed. Especially for our younger employees, that’s the way they’re accustomed to getting information,” Prange says. “So instead of cybersecurity updates getting buried in my email inbox, I scroll through news on Workplace.”

 

Helping Participants Help Themselves

One of the best ways to keep participants’ data and assets secure is for these individuals to stay engaged. “Participants can dramatically reduce the risk of fraud by taking simple steps to safeguard their account,” says Duke Alden, vice president of client and customer security at Alight Solutions in Lincolnshire, Illinois.

Here are five pointers advisers can pass along to participants for how to keep their account and assets safe:

Register your account. “The best way for participants to secure their account is to secure their log-in credentials: Personalize their user name and password, answer the security questions, and set up the two-factor authentication,” says Eric Brickman, chief solutions officer at Newport in Walnut Creek, California. Participants sometimes assume they are safer if they never fully set up their online account, he says. “The irony is, that’s the least secure way to handle it,” because keeping their first-time log-in credentials rather than customizing them makes it easier for cybercriminals to figure out access. “So every time someone calls into our call center who hasn’t registered their account, we say, ‘Hey, we see that you haven’t logged into the site to set up your security credentials.’”

Take simple preventative steps. Alden says these include not using the same password for their participant account that they use for other email or online accounts, not sharing their account log-in information with others, keeping their contact information up to date with their plan’s recordkeeper, and responding immediately to alerts they get from the recordkeeper about activity in their account.

Check your account at least quarterly. If participants never log into their online account, it could take much longer for a cybercrime to be discovered. “Retirement accounts are not like an active-trading account: Many people ‘set it and forget it,’ and many others are automatically enrolled,” Brickman says. “Typically, we say to participants, ‘You should be checking your account at least quarterly.’ If you’re doing that, at least you’re seeing if there has been activity that you don’t recognize.”

Be careful how they access their account. Using free WiFi poses a security risk, because fraudsters can invade these open networks more easily, so participants should access their account only from a network they know is secure. “And if you’re using a [public] computer at a hotel or elsewhere while traveling, don’t check the button on a [participant] website that says something like, ‘Remember my login,’” Brickman says. The next person who accesses that site on that computer will have entrée to the participant’s account, he says.

Stay wary of suspicious emails or calls. “I tell participants, ‘If you haven’t called your plan’s recordkeeper to ask about your retirement account, but you get a call out of the blue from someone claiming to be with your recordkeeper and asking for your personal information, just hang up,’” PlanPilot’s Mark Olsen says. “That may seem rude, but most likely, that person is not from the recordkeeper and is interested in getting good data points so they can try to steal your money.”


A Closer Look at Recordkeeping Data

A recordkeeper’s participant data can help give the plan’s adviser insights that lead to changes in plan design, the investment menu and education that improve participant outcomes. But to help protect participant data, it is important for advisers to be mindful about how much data they access and to understand recordkeepers’ cybersecurity policies and processes.

Plan advisers often want access to as much data about a plan’s participants as the recordkeeper will provide, says Eric Brickman, chief solutions officer at retirement plan provider Newport in Walnut Creek, California. “How much access to data an adviser actually gets runs the gamut,” he says. “It’s a function of the adviser’s role with his plans: The data follow the need. As the recordkeeper, we function as a steward of the data.”

Typically, when advisers gain access to Newport participants’ individual plan data, that is preceded by plan sponsor authorization, often via written agreements between the sponsor, the adviser and Newport. “The plan sponsor approves the adviser’s access to specific data, and Newport then works with the adviser, based on the sponsor’s direction,” Brickman says. “It’s a healthy system of checks and balances.”

It is worth the adviser’s time to fully discuss with the recordkeeper the data it has supplied, Brickman suggests. “At Newport, we don’t just view it as a transaction of sharing the data,” he says. “We walk the adviser through the data we’re sharing. Often, advisers just assume that data are data.” As recordkeepers have different ways of organizing and updating participant data, an adviser can easily misinterpret it unless it is explained, he says. “That’s why we believe it’s important for an adviser to not just see the data, but to truly understand it,” he adds.

It is also worth advisers taking the time to help their sponsor clients understand their recordkeeper’s cybersecurity protections for participant data, sources say. “It’s a generally accepted practice that advisory firms participate in a security assessment at least once a year for those recordkeepers they’re recommending,” Brickman says.

Every recordkeeper will check the box “Yes” in response to a cybersecurity questionnaire asking whether it has a cybersecurity policy or encrypts data, says Karen Prange of Lockton Retirement Services. “As advisers, we help sponsors go beyond the first layer of information. Our goal is to help them look underneath that initial response. We want to really understand how the recordkeeper’s program works, how it is creating its strategy, the cybersecurity governance it has in place, and how it is testing its program.”

Duke Alden, vice president of client and customer security at Alight Solutions in Lincolnshire, Illinois, sees two overall keys to a recordkeeper’s cybersecurity approach. “The first is continual evolution. The threat landscape changes constantly, so we must adapt, adjust and make investments in new security measures,” he says. Second, a recordkeeper needs to create a culture of accountability and ownership about cybersecurity, he says.

Beyond those two factors, a recordkeeper’s specific controls and procedures for fighting fraud are especially crucial, Alden says. “Fraudsters continue to show a lot of creativity, and a level of relentlessness, that we must match every day. It’s important that recordkeepers employ an intelligent and layered security model that protects participants’ accounts, while still providing a positive user experience,” he says. This should include the latest security features such as multi-factor authentication at log-in, real-time fraud detection capabilities for certain transactions, and text alerts to participants when a transaction is initiated for their account or an account change such as an address change is requested.

An adviser evaluating a recordkeeper’s cybersecurity will need to understand how it processes distribution requests and the steps it takes to prevent fraudulent withdrawals, says Edward Redder of Thompson Hine. “Can someone go through the online participant portal or mobile application to initiate a distribution?” he says. “If that’s the case, does a participant have to use multifactor authentication to get access to the account? This can significantly mitigate the risk of a ‘bad actor’ redirecting a distribution.”

It is important to understand a recordkeeper’s cybersecurity track record, says Craig Foster of Thompson Hine. “If it has had hacks, especially if they resulted in a [monetary] loss to individual accounts, how have they been resolved?” he says.

Redder advises also learning about the internal review process the recordkeeper uses if a data breach occurs.

And if a cybercriminal succeeds in making a fraudulent withdrawal from a participant’s account, look at the recordkeeper’s policy on making the participant whole. “We’re seeing an uptick in the number of recordkeepers that provide some type of warranty or guarantee that would protect a participant if there is a loss to his or her account because of a third-party ‘bad actor,’” Redder says. “But all of these guarantees from recordkeepers also require the participant to have taken certain actions before the loss, to be covered. It’s important to carefully review the requirements in the guarantees.”

The requirements vary by recordkeeper, he says, but could include something such as a participant previously having changed his password whenever prompted by the recordkeeper.

Foster suggests that an adviser should also examine the coverage provided in the recordkeeper’s cyber-insurance policy, which can vary. “When cyber insurance started to be introduced, it was very expensive and didn’t cover much,” he says. “Now, the cost has come down, and it may cover more.

 

Art by David Plunkert

Tags
data security, participant data, retirement plan cybersecurity,
Reprints
To place your order, please e-mail Industry Intel.