In a recent call with a 15,000-employee plan sponsor client that had implemented automatic enrollment, Kathleen Kelly, managing director at Compass Financial Partners, discussed their concerns that a majority of the plan participants had not authenticated their accounts. As a result, their accounts were at a greater risk of hacking, which led to a massive communication campaign.
Beyond fees, funds and fiduciary, the normal topics for plan advisers, 401(k) clients are asking about cybersecurity issues.
Greg Middleton, director of marketing at Captrust, said that cybersecurity is a "massively growing issue" within adviser RFPs, along with business continuity plans and disaster recovery testing.
Record keepers are spending billions to protect their systems and employing a growing army of tech professionals who can fend off attacks on vulnerable participants' accounts. Plan sponsors are increasingly concerned not just about protecting their employees, but also about the fiduciary liability involved.
[Recommended video: Protecting against the insider cybersecurity threat]
So why have advisers been in denial about cybersecurity? What's the risk, what's their role, and how can they best protect their clients — and themselves?
Institutional consultants that service larger 401(k) plans have been focused on how record keepers are dealing with cybersecurity risks. That led Spark Institute, the record-keeper industry association, to create a template so that everyone is on the same page.
Yet retirement plan advisers serving smaller clients have yet to get the message and are unsure about what they should be asking and even what role they should play.
Mr. Middleton noted that advisers can either outsource the evaluation process or hire IT professionals, a luxury that few advisers can afford.
Ms. Kelly said that she relies on LPL to provide guidance, which is one of the reasons she stays affiliated with the large broker-dealer. Many advisers have gone pure RIA, leaving them with scant IT resources.
Jamie Greenleaf, principal at Cafaro Greenleaf, attends as many webinars as possible while also relying on Spark.
More and more plan sponsors are realizing that as digital fiduciaries, their job is to protect participants' account and information. In turn, plan advisers hired as co-fiduciaries need to help clients manage that risk. Yet advisers are reluctant to bring up issues about which the client may know more, which is why the overwhelming majority are still focused on fees, funds and fiduciary.
Advisers may not have to become cybersecurity experts or even hire professionals, but they need to understand the issues, the risks and the roles of each of the parties in the 401(k) food chain that handle data, especially participant data.
So not only is cybersecurity becoming an essential part of serving defined-contribution plan sponsors, it is an opportunity for advisers to differentiate themselves by dealing with issues that competitors avoid.
And advisers who think the job stops with conducting due diligence on record keepers' cybersecurity protocols are sadly mistaken.
At a recent conference held by Charles Schwab, a Homeland Security representative noted that hackers are more likely to go after the smaller vendors of big providers, which are much more vulnerable. Examples of such smaller vendors would be advisers and third-party administrators, especially smaller shops that house an incredible amount of plan and participant data that is largely unprotected.
Ms. Greenleaf said that she is proactive with clients and brings up the issue with committees eager to learn more about how to protect their employees and the company vulnerable to attacks.
"If advisers are not thinking about cybersecurity, they should be," she said. "It's our job to protect clients, especially as co-fiduciaries."
Fred Barstein is founder and CEO of The Retirement Advisor University and The Plan Sponsor University. He is also a contributing editor for InvestmentNews' Retirement Plan Adviser newsletter.