At a Sept. 13 workshop at the NAPA 401(k) Summit, two IT executives from CAPTRUST and Empower outlined their firms’ cybersecurity initiatives and shared tips for advisors.
Jon Meyer, Chief Technology Officer at CAPTRUST and Trish McGinty, Head of Cybersecurity Communications at Empower, were joined by moderator Ryan Tiernan, SVP, National Accounts at Capital Group/American Funds.
Meyer described CAPTRUST’s cybersecurity efforts both internally and for their clients. Internally, he indicated, the overarching goal is to make incremental progress year-over-year, focusing on elements of cybersecurity like annual risk assessments and penetration testing. “We’ve sent people in posing as copier repairmen to see if they can gain access to our buildings, or with pizza deliveries to see if they can trick developers into letting them in,” he notes. “Once outsiders are in the building, it’s important to make sure they can’t plug a device into our network or put a device between a photocopier and the wall.”
Externally, “the biggest value-add we’re doing for our clients is that we’re really doing the research for them,” he continued, citing as an example a distilled version of the DOL’s recent cyber guidance that the firm’s research staff created for plan sponsors. In addition, CAPTRUST “is in touch with all the fiduciaries at the plan, collecting information from them, and putting it into a context where it makes it easy for our plan sponsors to benchmark the different recordkeepers that are seeking their business,” Meyer said. “And our centralized research team does an amazing job at staying in touch with our recordkeepers and other providers to understand where they stand from a cybersecurity perspective.”
Focus on Cyber Fraud
McGinty explained the differences between cyber fraud and cyber breaches and how advisors should be communicating with recordkeepers about them. “A breach is a confirmed compromise of an information security system, whereas cyber fraud is a confirmed compromise of something like a participant’s financial account,” she noted. Regarding cyber fraud, with advances in technology in the area of identity verification, she said, there are now fraud protections that can identify more than 100 different attributes of a participant who is calling in. “It’s important that recordkeepers have all these layers of defense against what the criminals and bad actors are doing,” McGinty noted, and then communicate that to advisors so they can deal more productively with them on their security practices.
Using the DOL’s Best Practice Guidance
Meyer and McGinty both praised the DOL’s April best practices guidance on cybersecurity, which included these tips for hiring a recordkeeper:
- Understand what their information security standards are and how they audit and validate them. This would entail an AICPA SOC Type 2 report on their IT systems, McGinty noted.
- Evaluate their track record in the industry.
- Ask about any breaches and how they responded.
- Ask about their cyber liability insurance. Make sure it covers social engineering (e.g., phishing or a bad actor impersonating a company employee), McGinty recommended, as that is not always included.
- Make sure that cybersecurity provisions are included in the service contract.
At Empower, McGinty indicated, they have produced several different guides for plan fiduciaries that incorporate and expand upon the DOL’s best practices guidance.
Moreover, advisory firms should “look inward” and apply the DOL’s guidance to their own IT practices, Meyer added, noting that even though they’re not recordkeepers, they do possess sensitive data that must be protected from fraud and theft—for example, employees accessing client or participant data remotely.
“I think the DOL guidance is a little bit of a wake-up call,” Meyer continued, “and I think we’ll probably see some enforcement rolling down to advisors for not doing the things that are called for in the guidance.”
McGinty suggested that advisors also share the DOL guidance with their plan sponsor clients. In addition to tips on cybersecurity and choosing a recordkeeper, the guidance also includes general online security tips that should be shared with participants, most notably registering their accounts and providing multiple ways for the recordkeeper to contact them.
What else should advisors be asking potential recordkeeping partners? McGinty offered five tips:
- Do they own the recordkeeping platform or is it outsourced?
- What’s the underlying system? Is it mainframe; is it server; how much is in the cloud?
- Can they provide a SOC Type 2 report?
- What happens if they suffer a breach?
- Is there a security guarantee?
“Make sure that these provisions end up in the service contract, and they’re not just something you hear about in a presentation,” Meyer added. “Are you contractually protecting the plan from the kind of incidents that could occur? This is where you take all those things you’ve learned about cybersecurity and turn them into something actionable.”
