Skip to main content

You are here


A Cautionary Tale About Cybersecurity

Practice Management

Your friend’s Facebook account was hacked, your neighbor was part of the Equifax data breach, your client’s credit card was charged fraudulently, but never do you think it could happen to you.

Well, it could. In this post, we’re going to share a story about our (near) personal identifiable information (PII) mishap – and a new marketing idea on how you can approach prospects to win more retirement plan business.

See Something, Say Something

PII is defined as any data that could be used to identify a particular person. Some examples include full name, Social Security number, driver’s license number, bank account number, passport number and email address. In most of our day-to-day business, we encounter tidbits of this information, and normally we don’t think much about it. However, it’s important to address this issue.

With that, I’m excited to share that 401(k) Marketing has established a 401(k) plan. It has taken 5 years of hard work and an incredibly dedicated team to achieve it. As part of our on-boarding process, we received an email from our recordkeeper relationship manager to complete a census. Pretty normal, right? Well, here’s the twist: They asked us to fill out an Excel spreadsheet… not a password-protected document or a gated form on a secure plan sponsor portal… an Excel spreadsheet!

Every single 401(k) conference includes a session on the importance of protecting PII. Yet, here we were experiencing a blatant standard operating procedure with zero regard for PII. Is this for real?

While it might not seem like much for a small firm to upload and send sensitive information about a handful of employees – it is! And here’s an opportunity to demonstrate your competitive edge: Talk about cybersecurity with your clients, prospects and centers of influence.

Addressing a Sore Subject

If you’re an advisor, TPA, auditor, recordkeeper, DCIO, service provider or wholesaler, this could be a very relevant topic to bring up with clients because every single person knows someone who has experienced a cybercrime. 

Cyberattacks are a source of pain. People remember pain. If they have a story, then this will spur them to share it. They will want to have their voices heard. Take this opportunity to not only call out that experience, but also take the opportunity to transition the person away from the current service provider firm that created it. Or help the plan sponsor and administrator wake up to possible security issues and potential areas for data breaches.

It only needs to happen once – one client, one friend, one encounter – for someone to speak up. As a vigilant professional in our industry, if you see anything that violates PII data exchange, say something.

Stay Awake

Find out what your internal data protection procedures are and discuss them. For example, a client should never fill out and upload an Excel spreadsheet with PII information because in the wrong hands, it could cause long lasting harm.

PRO TIP: Recommend that your firm hire a white hat hacker to conduct a cybersecurity audit of your firm to identify areas for an easy data breach. 

Every organization has best practice resources with whom they can discuss cybersecurity, so use them! Possible marketing ideas include: hosting a webinar, posting about it on social media, and sharing tips and best practices via email with a helpful infographic. Whatever your approach, start talking about it. 

If a data breach happens, it costs a company an average of $301 per employee to remedy it, according to the Ponemon Institute. Imagine a TPA with thousands of clients; how much would that cost? Or a recordkeeper with millions and millions of accounts; how much would they need to spend to right the wrong?

While cybersecurity sounds like a faraway sci-fi world, it’s not. It’s right here. It’s around us every day. Be the voice of rationality that raises a hand and identifies that this is not okay. Be the “white hat” our industry needs to stop wrongdoing before it happens. Be the plan hero that identifies possible breach situations. 

While we never think it could happen to us, it could happen to a friend, neighbor or client –because if it’s happening right in front of you, then it’s happened before and will happen again.

Thanks for reading and Happy Marketing!

Rebecca Hourihan, AIF, PPC, is the founder and CMO of 401(k) Marketing


All comments
David Kupstas
3 years 8 months ago
I assume the issue is not that Excel was used, but that it was used "naked," meaning no password, no secure file sharing system, etc.