Plan Sponsor Interview with Josh Newsminster

What new cybersecurity measures have you implemented or are considering implementing this year? Any third-party vendors that have piqued your interest? What missing pieces are you and your participants most looking for?

At the participant level, participants have access to 2FA with Fidelity (plan recordkeeper), which helps reduce the risk of unauthorized access. More broadly we’re expanding the conversation of encryption and tokenization to protect sensitive data at rest and in transit. Another area of focus is increasing real-time monitoring and incident response capabilities, which will likely be driven by our third-party partners such as Fidelity and BNY Mellon (custodian) rather than a specialized bolt-on cybersecurity service.

Beyond Fidelity and BNY Mellon, we have not looked at any other cybersecurity third-party vendors. From an investment managers standpoint, focusing on identity theft protection and AI-driven threat detection for example, BlackRock’s Aladdin cybersecurity suite, which integrates risk management with retirement plan operations is interesting.

What’s still missing, and what participants are increasingly asking for, most participants “expect” the providers to secure their account with the most up to date systems and processes available. At the user level, most participants choose convenience over security and therefore requesting participants to turn on 2FA can be challenging. As technology evolves with advances in encryption, smart contracts, and tokenization, building a UI to account for user’s behavioral biases will be critical.

How do you view the current set of DOL guidelines, regulations, and language on AI and plan cybersecurity? Are they ample and clear for the current environment in your views?

The Department of Labor (DOL) has made good strides in addressing cybersecurity, particularly with their guidance outlining best practices for plan sponsors and fiduciaries. However, cybersecurity is not one and done; with the rapid pace of AI development, the DOL’s guidelines on cybersecurity will not always be up to date. As a result, it will need to be the third-party providers, in partnership with plan sponsors, that determine the adequacy of AI tools. So, while the existing guidelines provide a good foundation, they don’t yet address emerging technologies as comprehensively as I’d like – but I’m not sure if they ever will.

Any unique cybersecurity or technology concerns for your plan that comes to mind? Any advice or questions for your peer plan sponsors on those fronts?

I don’t have any “unique concerns” but a few concerns that come to mind include the increasing sophistication of phishing schemes targeting participants. Since participants are often the weakest link in any cybersecurity defense, it makes sense, and becomes imperative that plan sponsors help participants understand the risks and know how to protect themselves. Another concern is the secure integration of third-party vendors and service providers. Ensuring that each vendor we work with has robust cybersecurity protocols in place and follows best practices is a constant focus. While it can seem mundane to spend time understanding third-party vendors security practices, my advice to peer plan sponsors is to never assume vendors have the same security standards and always perform due diligence through third-party audits and certifications.