401(k) Specialist Issue 2 - 2020 - 21

401(k) TECHNOLOGY
same time, I want to have 70-something
of the most paranoid people in the world, "
he said.
Encouraging employees or plan participants
to apply those standards to their personal
accounts can help make them less of a burden.
Goode said that he's had employees tell him
they've adopted similar security standards to
the ones they use at work because they recognize
that they're much safer.
Encryption
Encrypting data should be standard practice
for any advisor. Data at rest (whether
it's being stored in the cloud, or on local
networks or hardware) and data in transit
should be encrypted to prevent it from
being used if it's stolen.
" You want to make sure both of those
methods are encrypted when using any kind
of third-party vendor, " Goode said.
As the Department of Labor ponders a
rule that would make electronic delivery of
disclosure documents the default, it's clear
that encryption will only become more
important. Ironically, a survey from the
Secure Retirement Institute found consumers
believe paper statements are more secure
than electronic ones; this was especially true
among the famously tech-oriented Millennial
and Gen Z consumers surveyed.
Advisors' current operating systems likely
already have built-in or additional encryption
solutions, like Microsoft's BitLocker or
Mac's FileVault. Third-party products like
AxCrypt or CertainSafe are also available.
Cyber Insurance
Cybersecurity insurance is still a developing
product, but advisors and plan sponsors
should look into securing this type of coverage
if they haven't already. A 2016 report
from the ERISA Advisory Council found
more than 60 carriers offer standalone
cybersecurity insurance policies, with over
$2 billion in written policies. The council
expects that market to grow to $75 billion
by this year.
General liability or errors and omissions
policies are unlikely to provide much coverage
for a cyber event. Cybersecurity insurance
may cover things like legal expenses,
data restoration, disclosure statements and
other expenses that arise from a data breach.
" Plan sponsors and fiduciaries should
understand what cyber insurance does and
does not provide and how it coordinates
with other types of insurance coverage,
so that they can appropriately consider
whether to incorporate cyber insurance into
their cyber risk management strategy, " the
ERISA Advisor Council wrote.
Do Your Due Diligence
Ringquist encouraged advisors to apply
the same guidance they give their clients to
their own practices.
" Start with their own business, start with
their own personal accounts, " he said. " How
are they protected? "
He believes that in conducting their due
diligence, plan sponsors are aware of the risk
cybersecurity poses and are prepared to take
advice on how to protect their clients.
" When we're interacting with plan sponsors
in a sales situation or service providers,
the level of due diligence, particularly around
information security, has significantly increased
I'd say in the last five years, " Ringquist
said. " I think the industry, particularly the
large plan sponsors, the recordkeepers and
so forth, are most definitely paying attention
to this issue. "
Goode reiterated that the nature of the
financial services industry means companies
will have to share sensitive information in
the course of their business.
" People need to understand, you have
data that can be used to steal people's identity,
and some of that data you may need to
send to third-party vendors for services, " he
said. " You need to understand how that data
is going to be protected, encrypted and used
by those vendors. "
Solo Cybersecurity
P
reeti Shah, founder of Enlight Financial in New Jersey, knew she needed
to do something about cybersecurity.
" Every time you take some compliance exams that the state sends you,
you go through procedures and processes that ask you, 'Do you have this taken
care of?' or 'Do you have something in place?' Plus clients will ask me about
this also: 'How is my data safe?' " she said.
As a member of XY Planning Group, she was also hearing from peers who
were talking about cybersecurity and the steps they were taking.
Shah used to belong to a broker-dealer, which took care of cybersecurity
issues for its reps. Since going out on her own, she had to create her own
framework for protecting her firm and her clients' data from data breaches.
With help from her peers and her own research, Shah drafted a 16-point plan
that covers best practices for protecting communications and document storage
procedures, as well as securing hard assets like computers, mobile phones
and office space.
Critically, the plan includes a disaster recovery strategy in the event that
something happens to Shah. As a sole proprietor, she doesn't have a partner to
take over so she identified someone outside the firm who can act on her behalf.
She also changed her custodian to TD Ameritrade because it has a consumer-facing
platform so " clients could reach a team in case, God forbid, I was hit
by a bus or something. "
Shah acknowledged that she is still just wading into cybersecurity, and while
she has a comprehensive plan, she's still in the process of implementing some
of the steps.
" They're all important, " she said of each step, " because you can be hacked
or you could lose data anywhere. " However, identifying what needs to be done
and starting with the easiest tasks helps build momentum.
ISSUE 2 2020 | 401kSpecialist.com
21
http://www.401kSpecialist.com
401(k) Specialist Issue 2 - 2020

Table of Contents for the Digital Edition of 401(k) Specialist Issue 2 - 2020
