2018 – The Year of Cybersecurity

shutterstock_569172169_blogI had a chance to watch some of Mark Zuckerberg’s testimony to Congress. The past 24 months have helped inform the entire country on the risks of stolen data as well as the risks when data lawfully obtained is used for purposes other than its intended use.

Data and Access Security
Retirement plans have exposure in these two key areas. Retirement plan recordkeepers have spent much of the last two decades reducing the number of “clicks” a participant may need to review information and process a transaction. While intended to simplify the participant experience, some of these pass-through processing systems have been subject to breach as bad actors use them to process retirement plan distributions or request loans on behalf of an unknowing participant, thereby breaching the plan.

Use of Personal Information
In the past, we have written and spoke about the changing nature of retirement plan recordkeeping. As fees continue to compress, recordkeepers proceed with utilizing retirement plan recordkeeping as an avenue to distribute additional products and services. This creates the second challenge for retirement plan sponsors. What controls are in place to ensure the demographic data necessary to operate the plan (wage, savings, email address, etc.) is not being used to aid in selling additional unrelated products?

Providers and plan sponsors are moving to address these risks in different ways. 

The increased volume of thefts from retirement plans has caused the industry to move quickly to reduce exposure.  Smaller recordkeeping firms have suspended wire transfer payments from the plan to slow the distribution process and better track outgoing cash payments for loans and distributions.  Larger providers have moved to dual authentication for the movement of cash to ensure a stolen password does not result in a blank checkbook for the thief.  The largest of the national providers have augmented dual authentication with more sophisticated voice authentication capabilities.

To address concerns about personal information, larger plan sponsors are debating the merits of non-solicitation agreements with their recordkeepers to eliminate the cross-sell incentive to misuse data.  Purchasing groups and request for proposals (RFPs) have become very explicit in limiting the use of data obtained through the recordkeeping process.

In sitting through an education presentation on cybersecurity recently, the moderator shared that no cybersecurity procedure can be perfect given the sophistication of the bad actors.  However, the key is to be more sophisticated than the person next to you.  Ultimately, bad actors aren’t looking for challenges; they’re looking for money and the more difficult you make the system, the more likely they will move on to an easier target.  In the jungle, you don’t need to be faster than the tiger; you need to be quicker than the person next to you.

There are steps plan sponsors should take to address their plan and the safety of their participants.

Data and Access Security

  1. Who is liable in the event of a security breach where participant assets are stolen?
  2. What authentication (participant and sponsor) is required before a distribution is made?
  3. How would the plan be notified if data is breached?
  4. How does the provider monitor the system against cyber threats?
  5. Does the provider possess cyber threat insurance?

Use of Personal Information

  1. Who outside the retirement services organization has access to personal information?
  2. How might a participant find themselves in a situation where their personal information is utilized to facilitate the purchase of additional services (rollovers, managed accounts, brokerage account, etc.)
  3. Will the provider agree to a non-solicitation provision?

Cybersecurity and the protection of participant data is a rapidly changing area and the rules pertaining specifically to retirement plans are nearly non-existent.  Knowing how well your retirement plan providers are addressing this evolving field is an excellent start.


Multnomah Group is a registered investment adviser, registered with the Securities and Exchange Commission. Any information contained herein or on Multnomah Group’s website is provided for educational purposes only and does not intend to make an offer or solicitation for the sale or purchase of any specific securities, investments, or investment strategies.   Investments involve risk and, unless otherwise stated, are not guaranteed.  Multnomah Group does not provide legal or tax advice.  

Any views expressed herein are those of the author(s) and not necessarily those of Multnomah Group or Multnomah Group’s clients.

Comment On This Article