PLANADVISER - January/February 2021 - 16

regulatory & compliance | cover story
list of requirements and making sure that is satisfied. "
The Employee Retirement Income Security Act (ERISA)
nowhere spells out the responsibilities that fiduciaries
have for participants' data security, agrees Edward Redder,
a partner in law firm Thompson Hine in Columbus, Ohio.
" That's one of the frustrating points that many practitioners
have raised with the DOL [Department of Labor]:
There aren't any clear rules on what their duties and
responsibilities are, " he says.
However, ERISA's broader principles indirectly provide
guidance on cybersecurity. " It's all about process under
ERISA, " Redder says. " ERISA doesn't require that the results
always end up where we'd like them to. But it does require
having a prudent process in place and following it. "
Beach, California. " You need to keep that information closely
held-with the people who need to know that information.
Any participant data we have, we hold onto it tightly and
secure it as much as possible. "
The policy also should lay out the plan for what happens
if a sponsor has reason to believe a third party successfully
entered the company system without authorization.
" It's very important to do an incident response plan, " Brown
notes. " It needs to spell out: 'If there is a data breach, what
do we do?' You can't start to figure that out once something
happens, because you have to act fast to identify where the
hackers have been in your system, and confirm they're no
longer there. " You also need to have an incident response
team:
" It's very important to do an
incident response plan. It needs
to spell out: 'If there is a data
breach, what do we do?' "
Financial advisers also are subject to the Securities
and Exchange Commission (SEC)'s Regulation S-P, which
requires that advisers have " reasonably designed " cybersecurity
policies, says Craig Foster, also a partner at Thompson
Hine in Columbus. And state laws could potentially come
into play in a lawsuit. " Many states have 'deceptive trade
practices' acts, and those often provide for civil penalties, "
he says. " So advisers could have some vulnerability there. "
An amended complaint in a lawsuit filed last year by an
Abbott Laboratories Stock Retirement Plan participant-
alleging that protocol failures led to a $245,000 theft from
her account-makes a claim against the plan's recordkeeper
based on deceptive trade practices, Redder says.
" That's an area that plaintiffs' attorneys are exploring, " he
says. " Does ERISA pre-empt those state laws? That is still
an open question. "
Lay the Foundation
Advisory firm PlanPilot in Chicago has developed a cybersecurity
policy with protocols including how its staff
handles participant data. " In essence, it's like having an
investment policy statement [IPS], " says Managing Director
Mark Olsen. " It's all about putting procedures in place and
documenting that you are following those procedures on
an ongoing basis. "
A cybersecurity policy should specify the steps an
advisory firm takes to protect participant data. " First and
foremost, the policy should limit data access to the people
who actually need the data, " says Chief Compliance Officer
Sharina Merid of SageView Advisory Group in Newport
Identify who is on that team and what role each
person would play. Having a playbook
and a cast of characters is really critical,
if something happens. "
And while technology plays a
crucial role in cybersecurity, she says,
there is also a huge human factor.
" There's definitely a training component,
to make sure a firm's employees
keep data security top of mind and
understand
the
various
forms
of
intrusion they could encounter. "
All PlanPilot employees receive
education. " Everyone who works here
is trained on cybersecurity, whether they're in an area that
needs access to sensitive participant data or not, " Olsen says.
" Even interns are trained-not because they're handling
sensitive data, but because, if they happen to pick up the
phone when a participant calls, we want to be super-sure
they know how to respond. "
CAPTRUST trains new employees on its cybersecurity
processes, as well as educating all employees annually. " We
have an information security policy that every new employee
has to read and sign off on, acknowledging that he or she
has read it, " Meyer says. " We also have initial cybersecurity
training we do online. " Asked what points he wants new
colleagues to take away from that training, he says, " Clearly,
that we take it seriously. There is probably no greater risk to
our firm than a human mistake leading to someone's assets
being stolen and to a loss of a client's confidence in us.
" We want them to be thoughtful in the actions they take,
such as the emails they open and the emails they send, "
Meyer continues. " We also want them to be careful about
keeping a clean desk and about what documents they print
out versus looking at them electronically. And we want
them to understand, if they're in a position to facilitate the
transfer of money for clients, that they have to be careful
with all of the procedures that relate to that transfer. "
Clean House
As to key ongoing steps to prevent data breaches, Brown
suggests that a firm have in its system only the participant
data it currently needs in order to do its work for the
client. " Companies have a tendency to collect data they
16 | planadviser.com January-February 2021
http://www.planadviser.com
PLANADVISER - January/February 2021

Table of Contents for the Digital Edition of PLANADVISER - January/February 2021
