PLANADVISER - January/February 2021 - 18

regulatory & compliance | cover story
job, then we minimize the number of people who have access
to it, " Prange says. If Lockton's Chicago office serves a plan
client, for example, only staff members there who work
directly with that plan can access the data.
To begin getting access to specific data in SageView's
system, an employee must go through an approval process
with the advisory firm's compliance department. " We have
people who are identified as having access to specific client
information, and we regularly look at that list closely, to limit
the number of people, " Merid says. " We're asking, does this
person still need access to that information? If he does, we
keep that person on the list. If he doesn't, we rescind his
access to that data. "
Advisory firms need a strong, role-based access program
to determine who gets access to which data, Meyer advises.
That starts with identifying all of the different role types
among an advisory firm's staff. Then it requires determining
which specific roles should have access to which data to fulfill
job duties. " It's not magic; it's just detailed work, " he says.
CAPTRUST's cybersecurity policies include a recurring
user-access review process, Meyer says. " We review rolebased
access quarterly, " he says. The firm uses the identitysecurity
platform from SailPoint Technologies Holdings Inc.
Each quarter, the program sends the previous quarter's
access data to managers and asks them to review it for their
area and sign off that they saw nothing problematic or in
need of change.
For PlanPilot, the mechanics of cybersecurity also include
a protocol for accepting participant data sent by a sponsor
client. The advisory firm will accept the data only if it was
transmitted in an encrypted email and in a " read only "
format: It accepts no files in a format that would allow PlanPilot
to edit. " Our protocol is that we can only view participant
data-we can't change it, " Olsen says. Any file not meeting
those specifications will be deleted by the staff member who
receives it; he then asks the client to resubmit it properly.
Stay Proactive
Companies need a regular scan of their system to detect
potential cybersecurity problems, says John Busch, president
of Busch Data Management in Anaheim, California. The firm
consults with SageView on its cybersecurity. " This is 'policing'
the data, " he says. " You need to make sure that all the proper
rules of 'hygiene' are actually being followed. "
Doing so includes proactively ascertaining that a firm
is storing nothing but the personally identifiable informaA
CLOSER LOOK AT
RECORDKEEPING DATA
A RECORDKEEPER'S participant data
can help give the plan's adviser insights
that lead to changes in plan design,
the investment menu and education
that
improve participant outcomes.
But to help protect participant data, it
is important for advisers to be mindful
about how much data they access and
to understand recordkeepers' cybersecurity
policies and processes.
Plan advisers often want access to
as much data about a plan's participants
as the recordkeeper will provide,
says Eric Brickman, chief solutions
officer at retirement plan provider
Newport in Walnut Creek, California.
" How much access to data an adviser
actually gets runs the gamut, " he says.
" It's a function of the adviser's role
with his plans: The data follow the
need. As the recordkeeper, we function
as a steward of the data. "
Typically, when advisers gain
access to Newport participants' individual
plan data, that is preceded by
plan sponsor authorization, often
via written agreements between the
sponsor, the adviser and Newport. " The
plan sponsor approves the adviser's
access to specific data, and Newport
then works with the adviser, based
on the sponsor's direction, " Brickman
says. " It's a healthy system of checks
and balances. "
It is worth the adviser's time to fully
discuss with the recordkeeper the data
it has supplied, Brickman suggests.
" At Newport, we don't just view it as
a transaction of sharing the data, " he
says. " We walk the adviser through the
data we're sharing. Often, advisers just
assume that data are data. " As recordkeepers
have different ways of organizing
and updating participant data,
an adviser can easily misinterpret it
unless it is explained, he says. " That's
why we believe it's important for an
adviser to not just see the data, but to
truly understand it, " he adds.
It is also worth advisers taking the
time to help their sponsor clients understand
their recordkeeper's cybersecurity
protections for participant data,
sources say. " It's a generally accepted
practice that advisory firms participate
in a security assessment at least once
a year for those recordkeepers they're
recommending, " Brickman says.
Every recordkeeper will check the
box " Yes " in response to a cybersecurity
questionnaire asking whether it has a
cybersecurity policy or encrypts data,
says Karen Prange of Lockton Retirement
Services. " As advisers, we help
sponsors go beyond the first layer of
information. Our goal is to help them
look underneath that initial response.
We want to really understand how the
recordkeeper's program works, how it
18 | planadviser.com January-February 2021
http://www.planadviser.com
PLANADVISER - January/February 2021

Table of Contents for the Digital Edition of PLANADVISER - January/February 2021
