At a recent public policy forum in Washington, DC, a retirement plan advisor (RPA) bemoaned how she was now expected to help protect her 401(k) clients against cyberattacks even though she was not a technical expert. In our view, this reflects a reality that RPAs often focus on the “triple Fs” (fees, funds and fiduciary)—a comfort zone for many, but less valuable to plan sponsors than those who help with all aspects of running a defined contribution plan.
These days, cyber protection for DC plans is top of mind for many plan sponsors, participants and, now, the Department of Labor, which recently issued guidance and tips spurred in part by a U.S. Government Accountability Office study. Regardless of whether plan sponsors and, by extension, RPAs, see themselves as digital fiduciaries, there is little doubt that cybersecurity will likely be a focus of the DOL investigations moving forward.
What Do RPAs Need to Know and Do?
Most recordkeepers are keenly aware of the issues and have beefed up cyber protection, which requires plan fiduciaries to conduct a documented-prudent due diligence in which they ask appropriate questions. RPAs can leverage the DOL guidance and work completed by the SPARK Institute, but a critical issue is whether the plan and participant will be indemnified in the case of a loss and under what circumstances. Typically, the question is not whether a plan will be breached, but when and how often.
An increase in cyberattacks led to a 35 – 80% increase in insurance costs last year, according to Euclid Fiduciary. It has also driven new litigation, exemplified by a recent lawsuit against Colgate-Palmolive and its recordkeeper by a participant whose $750,000 account was drained and who claims that red flags were missed. Interestingly, the participant had left the company 12 years earlier, which may cause some plans to reconsider whether retaining assets of separated participants is wise.
Unfortunately, anyone with access to participant and plan data is vulnerable, especially RPAs and third-party administrators who may not have the same levels of protection as larger financial service companies.
Advisors who are part of broker-dealers or larger RIAs often can often leverage the organization’s resources to not only help with due diligence of providers, but also to protect the advisor’s systems. Short of that, hiring a third-party cyber expert and making sure that they have insurance may be prudent.
Most recordkeeper RFPs now include questions about cybersecurity and protection, and a growing number of RPA RFPs include similar questions, to which the advisor needs to have effective and complete answers. A key issue is whether RPA and others at their firms can safeguard sensitive data about participants—from email addresses to Social Security numbers. As more advisors look to service participants beyond just their retirement plan needs, more data may be collected either from the providers or directly, which raises the risk of cyberattacks and claims that the participant’s privacy has been breached. What happens to data when an RPA is separated from the plan, and how that process is monitored, is also a concern.
Beyond the Triple Fs
Plan sponsors often outsource the Triple Fs to advisors because they are not experts. Similarly, advisors should do the same where there is no appropriate subject matter expertise at their firms. Given the high stakes associated with digital breaches and fraud, this seems particularly appropriate when it comes to cybersecurity. Digital worries are having major impacts, accelerating consolidation of recordkeepers who are forced to spend tens of millions annually on protection. The same issues could further fuel RPA consolidation as well, making it important for advisors to be prepared and have a broad understanding of the issues involved.
