PLANADVISER - January/February 2021 - 19

tion (PII) it needs to fulfill current duties.
" Any PII you receive, you have to treat as
'toxic waste,' and we are always scanning
SageView's system and looking for
toxic waste, " Busch says. It could slip an
adviser's mind to delete stored PII from
a previous client's project, and frequent
system scans help minimize that risk. " If
you don't know that you have the data,
you can't correct it, " he says. " Anytime
personal data is on the SageView system
that doesn't need to be there, we purge it. "
It is also important to proactively scan
" Companies have a tendency
to collect data they may not
need now but they think could
be useful in the future. That's
really just amplifying the risk. "
an advisory firm's system for potentially
problematic activity. " You have to be in front of the threats, "
Busch says. His company uses artificial
intelligence (AI)
technology to frequently look for abnormal activities in
SageView's system-e.g., if someone has tried to log in from
an unusual international location. " We're always looking
for what's out of place, " he says. " The reality is, if you're not
looking for it, you're never going to find it. "
Lockton Retirement Services regularly apprises staff
members about current cybersecurity threats. It sends
them compliance updates and includes cybersecurity news
in its Workplace system, an internal-communications
tool for businesses, provided by Facebook, that Lockton
began using last year. " It works well to keep our employees
informed. Especially for our younger employees, that's the
way they're accustomed to getting information, " Prange
says. " So instead of cybersecurity updates getting buried in
my email inbox, I scroll through news on Workplace. "
-Judy Ward
is creating its strategy, the cybersecurity
governance it has in place, and how
it is testing its program. "
Duke Alden, vice president of client
and customer security at Alight Solutions
in Lincolnshire, Illinois, sees
two overall keys to a recordkeeper's
cybersecurity approach. " The first is
continual evolution. The threat landscape
changes constantly, so we must
adapt, adjust and make investments
in new security measures, " he says.
Second, a recordkeeper needs to create
a culture of accountability and ownership
about cybersecurity, he says.
Beyond those two factors, a recordkeeper's
specific controls and procedures
for
fighting
fraud are
especially
crucial, Alden says. " Fraudsters
continue to show a lot of creativity,
and a level of relentlessness, that we
must match every day. It's important
that recordkeepers employ an intelligent
and layered security model that
protects participants' accounts, while
still providing a positive user experience, "
he says. This should include
the latest security features such as
multi-factor authentication at log-in,
real-time fraud detection capabilities
for certain transactions, and text
alerts to participants when a transaction
is initiated for their account or
an account change such as an address
change is requested.
An adviser evaluating a recordkeeper's
cybersecurity will need to
understand how it processes distribution
requests and the steps it takes to
prevent fraudulent withdrawals, says
Edward Redder of Thompson Hine.
" Can someone go through the online
participant portal or mobile application
to initiate a distribution? " he says.
" If that's the case, does a participant
have to use multifactor authentication
to get access to the account? This can
significantly mitigate the risk of a 'bad
actor' redirecting a distribution. "
It is important to understand a
recordkeeper's cybersecurity track
record, says Craig Foster of Thompson
Hine. " If it has had hacks, especially if
they resulted in a [monetary] loss to
individual accounts, how have they
been resolved? " he says.
Redder advises also learning about
the internal review process the recordkeeper
uses if a data breach occurs.
And if a cybercriminal succeeds in
making a fraudulent withdrawal from
a participant's account, look at the
recordkeeper's policy on making the
participant whole.
" We're seeing an
uptick in the number of recordkeepers
that provide some type of warranty
or guarantee that would protect a
participant if there is a loss to his or
her account because of a third-party
'bad actor,' " Redder says. " But all of
these guarantees from recordkeepers
also require the participant to have
taken certain actions before the loss,
to be covered. It's important to carefully
review the requirements in the
guarantees. "
The requirements vary by recordkeeper,
he says, but could include something
such as a participant previously
having changed his password whenever
prompted by the recordkeeper.
Foster suggests that an adviser
should also examine the coverage
provided in the recordkeeper's cyberinsurance
policy, which can vary.
" When cyber insurance started to be
introduced, it was very expensive and
didn't cover much, " he says. " Now, the
cost has come down, and it may cover
more. " -JW
planadviser.com January-February 2021 | 19
http://www.planadviser.com
PLANADVISER - January/February 2021

Table of Contents for the Digital Edition of PLANADVISER - January/February 2021
