Subscribe to our mailing list

Subscribe to our monthly newsletter for noteworthy articles, simplified guides, and practical tips.

America’s Best Startup Employers

By Forbes

Forbes partnered with market research company Statista to identify the up-and-coming companies liked best by their employees in their inaugural ranking of America’s best startup employers. The list was compiled by evaluating 2,500 American businesses with at least 50 employees on three criteria: employer reputation, employee satisfaction and growth.

Read More

Vestwell Tackles ‘Traditional’ 401k Recordkeeping with Latest Tech Release

By John Sullivan, Editor-In-Chief, 401K Specialist

Digital 401k platform Vestwell says it’s taking a leap forward in the technology it provides, “resetting the bar” across the retirement plan industry by shedding what it calls 30-year-old technology that currently oversees complex recordkeeping.

The capabilities are powered by an API-driven tech stack, resulting in a more efficient, flexible and cost-effective 401k offering, according to the company.

“So much of the way in which the industry does things was put in place pre-internet,” Aaron Schumm, Founder and CEO of Vestwell, said. “Things have come a long way over the past 20 and 30 years, but it’s just time to kind of rewrite how [retirement plan recordkeeping] works and bring it to a way in which we expect our financial lives to be treated. So that’s really what we’re focused on.”

Read More

Vestwell Launches Next Evolution of its 401(k) Platform, Removing Traditional Recordkeeping that has Held the Industry Back

Vestwell eliminates the barriers that currently surround recordkeeping, bringing new efficiency to the $30 trillion retirement industry

New York, NY – February 27, 2020 – Vestwell, the advisor-friendly digital retirement platform, has announced the next evolution of their platform, resetting the bar across the retirement plan industry. Before Vestwell, 401(k) plan providers were beholden to thirty-year-old technology to oversee complex recordkeeping. Vestwell has reimagined the process by developing a modern tech stack that powers all aspects of retirement plans, without the need for recordkeeping in a traditional sense. The result is a more efficient, flexible, secure, and cost-effective way of offering 401(k) and 403(b) plans.

“Since inception, Vestwell has been about enabling anyone to offer and run a 401(k) or 403(b) program regardless of size and complexity and without the friction that comes with managing a plan. We have now been able to take that to the next level, flattening “the stack” and removing the need to “run recordkeeping” software in the traditional sense,” said Aaron Schumm, Founder and CEO of Vestwell. “We’ve now put the architecture in place to bring employees’ retirement plans account closer to the way they manage all of their other financial accounts.”

Historically, legacy recordkeeping technology and lengthy, redundant processing have resulted in a market hindered by high-costs, inefficiencies, and razor-thin operating margins that left half of the businesses in our country and their employees unserved. Employers in the small-to-midsize market have been left with three unfavorable options: provide a generic plan, pay high fees, or not offer a plan at all.

Vestwell has changed the game by developing a front-to-back, API-driven workplace investing architecture that modernizes the retirement industry. Vestwell is providing the infrastructure to handle a real-time, flexible company plan design with custom investment management options, in a fully white-labeled construct. Vestwell’s technology-driven construct innovates the following
features and services:

  • Recordkeeping: Company and employee records are now fully centralized and
    maintained in-house on a modern tech stack that allows for full plan design and
    investment flexibility while eliminating reliance on legacy tech solutions. The solution can power financial services companies, payroll companies, and third party administrators alike – all fully white-labeled.
  • 3(16) Administration: Vestwell can also step in as a full 3(16) plan administrator, maintaining employee eligibility, loans and distributions, notices, and compliance testing on behalf of the plan sponsor – thus halving processing time and enabling faster issue spotting and resolution.
  • Custody: As part of a partnership with a modern, API-driven custodian, Vestwell has created an infrastructure that revolutionizes the cash movement and investing capabilities of individuals in and out of a workplace offering. Each next best dollar for an employee can be managed in the most appropriate way possible, under one seamless architecture.

Vestwell’s platform will become the new norm across the retirement industry, bringing the worlds of the workplace and individual financial investing together. Furthermore, it enables advisors, payroll companies, and enterprise partners to focus on their most core competencies: providing value, while bringing their clients and relationships closer.

About Vestwell Holdings, Inc.
Vestwell is a digital platform that makes it easier to offer and administer retirement plans. Vestwell removes traditional friction points through flexible investment strategies, fiduciary oversight, and streamlined administration, all at competitive pricing. By acting as a single point of contact, Vestwell has modernized the retirement offering while keeping the advisor’s, employer’s, and plan participant’s best interests in mind.

Learn more at and on Twitter @Vestwell.

New Vestwell Infrastructure Removes Traditional Record Keepers from Retirement Plan Administration

Vestwell now brings all non-custody services in-house

By Ryan W. Neal

Digital retirement platform Vestwell is developing a new technology infrastructure that would do away with the need for traditional record keepers.

Vestwell’s existing technology lets advisers create, sell and manage defined-contribution retirement plans, but founder and CEO Aaron Schumm said the engine still needed connections with archaic record keepers that slowed down processes and drove up costs.

“Legacy providers out there have been around for a lot of years. They work, they perform a function that’s critical to the equation, but it’s old,” Mr. Schumm said. “We’ve revisited, redone and rethought [record keeping] from the ground up.”

With a new investing architecture driven by modern application programming interfaces, or APIs, Vestwell can maintain records in-house on a digital database and take full control over 3(16) administrative tasks such as eligibility, loans and distributions, notices and compliance testing.

By automating record keeping and bringing all non-custody services in-house, Mr. Schumm believes Vestwell enables advisers to offer white-labeled workplace retirement plans more efficiently, cost-effectively and at scale.

“If you’re an adviser and you’re working with 100 retirement plans and each have 30 employees and you want to access those 3,000 individuals, it’s [currently] hard to do at scale,” Mr. Schumm said. “This new framework will remove how record keeping has functioned to date.”

The idea is to help advisers sell and manage DC plans for employers at small and midsize businesses. Because of the high costs, inefficiencies and thin margins of traditional record keepers, these employers’ only options are to offer a generic retirement plan, pay high fees or eschew offering a plan at all, Mr. Schumm said.

Vestwell’s APIs support custom investment management options, bringing 401(k) and 403(b) plans closer to how individual brokerage accounts operate.

“We’ve created the ability for a participant to have their own custody account within a 401(k),” Mr. Schumm said.

The new infrastructure follows several updates from Vestwell since the company attracted a $30 million investment from Goldman Sachs. Vestwell recently updated the user experience of its adviser- and client-facing portals.

The new infrastructure also paves the way for future developments that Mr. Schumm is even more excited about, such as bringing in other workplace accounts like health savings accounts. In the future, he wants Vestwell to support what he calls “next best dollar” decision-making.

When a plan participant gets paid, the idea is that part of their money will automatically be set aside for saving into the most tax-optimal location, whether that’s a DC plan, an HSA or flex spending account, or an individual brokerage account. By allocating money into the best “bucket,” Mr. Schumm said, advisers using Vestwell can help clients with their biggest concern: how they should best be saving.

“The easier we can make these decisions and make this available to people, the more we’re going to help them save,” he said.

While Mr. Schumm doesn’t believe that what he’s built with Vestwell is essentially a digital startup record keeper, for now, he doesn’t have a better word for it.

“We’re expanding the features and functions within this new architecture of a record keeper,” Mr. Schumm said. “In 2021, our focus will be on larger initiatives for where we want to take the industry.”

Read on

3 Ways Advisors Should be Using LinkedIn

We all know that lead generation can be one of the more challenging – and time-consuming – parts of anyone’s job so it’s important to equip yourself with the right tools to effectively grow your business. When used correctly, LinkedIn can be one such powerful tool. Taking the time to polish your LinkedIn profile and understand how the features work means you’re more likely to find the right clients – and they’re more likely to find you. When creating your LinkedIn strategy, we recommend focusing on these three basic, but critical, tactics.

1. Give Your Profile a Facelift

Profile Picture & Banner Image

Your profile picture is like a handshake; it’s massively important but should in no way be memorable. Include a photo that shows you in a professional, friendly light. Clients like to know who they are dealing with. You can also upload a banner image to the top of your profile. If you decide to add one, we recommend selecting an image that represents your city/region or your firm’s logo.

Professional Headline

LinkedIn gives you 120 characters to write your headline so make it as concise (but informative!) as possible. Think of the people you want to engage with and write a very short statement that will directly appeal to them. For example, rather than writing “Retirement Plan Advisor, CFP,” try something more engaging such as “Helping small businesses select and implement the right retirement plans| Financial Advisor, CFA | NYC.”


In addition to your headline, you have an option to include a summary. Think of this as a cover letter, not a resume. This is your chance to elaborate upon the value you lay out in your headline and reflect your personality. It is important to give a clear, consistent message as most people will not read your summary word for word. We recommend laying it out as follows:

  • Section 1 – Opening
  • Section 2 – Your value to your market (Summarize in three bullet points)
  • Section 3 – Who you’re looking to help and how
  • Section 4 – Outside-of-work interests

Pro Tip: Ensure your summary is written in the first person (‘I’ or ‘We’) to prevent it from looking like something you copied and pasted from a resume.


A great feature of your LinkedIn profile is the ability to add multimedia to it, such as PDFs, PowerPoint slides, videos, links, and more. This gives you the opportunity to include content that is specific to your clientele and position yourself as an expert.

2. Find Your Ideal Contacts

To start a conversation with a prospect you have to find them first. Fortunately, the search features available on the free version of LinkedIn turn it into an impressive database of filtered business professionals. The parameters allow you to create highly-focused prospecting lists that provide you with real-time information on your leads. Using this information to personalize your message is extremely valuable when it comes to engaging with people – and makes gatekeepers a thing of the past.

Primary Search Features

All LinkedIn searches can be started by typing a search parameter into the main search bar. By way of example, let’s say you want to find accountants in New York (you can no longer search by zip code radius; it has to be by town or city). To begin your search, simply type “accountant” into the search bar. On the next page will be the result of the search – click on “People.”

You can now narrow down these results by using the 3 primary filters at the top of the screen: Connections, Locations, and Current Companies. As you select each filter, the search result will automatically refine itself. You can also click “All Filters” if you want to narrow down results by industry, past companies, etc.

Boolean Searches

The other thing to keep in mind is that you can now perform “Boolean” searches, whereby you enter “NOT,” “AND,” or “OR” between terms. For example, if you want to find company directors who like golf, you would enter into the search field ‘ “director” AND “golf”.

3. Leverage the News Feed

News Feed

The main feature of the Home Page is a tailored news feed which contains updates from all of your 1st line of connections, such as articles they shared, new job announcements, profile updates, etc. The news feed is a simple, free, and effective way to:

  • Stay top of mind for clients
  • Position yourself as an expert
  • Inform and educate your contacts
  • Drive traffic to your site
Sharing content

Sharing an update is a very straightforward process and it only takes a few seconds. There are 2 primary ways to post content – either by “liking” content on your feed or by taking content directly from a website. Here’s how each of these works:

Liking Content – Simply follow a company on LinkedIn – anything this page posts will then automatically appear on your own news feed. All you then have to do is “like” the article and it will then be shared with all of your 1st line contacts on LinkedIn.

Posting Content – Navigate to a blog or news site. Once you see a link you’d like to share

  1. Copy and paste the article URL to the “Start a post box at the top of the LinkedIn Home page.
  2. Add the first paragraph from the article to your post – or write your own thoughts on the piece!
  3. Add three professional hashtags that are relevant and that people who are looking for that piece of content may search.

Pro Tip: When it comes to news feed etiquette, it’s important not to come across as always trying to sell so don’t just post updates about your latest product or service. People want content that is informative and educational in nature.

Pro Tip Bonus: When posting, it’s important to always include hashtags. While LinkedIn is continually updating their algorithms, three is currently the best number to increase visibility.

What’s next?

If you’ve mastered these steps and want to take your social strategy to the next level, contact Graham Aikin to explore LinkedIn workshops for advisors and wealth managers by emailing him directly at And of course, follow Vestwell for shareable content and upcoming retirement-focused webinars.




Reshaping Retirement: 3 Trends that Should Influence Your 2020’s Sales Strategy

By Ben Thomason and Fred Barstein

As legislation and technology drive change in the retirement plan market, we are seeing record-breaking rates of consolidation, impactful new regulation such as the SECURE Act, and shifting strategies including the growth of managed accounts. Moving into 2020, Fred Barstein and Ben Thomason are breaking down why these trends have taken flight and what they should mean for your retirement plan business strategy.

Trend #1 Changing Regulation Around Open MEPs/PEPs

There are 5.8 million businesses in the US with100 or fewer employees, and of those, 90% do not have a retirement plan. The SECURE Act was passed in an effort to close this retirement gap, with significant changes made to Open Multiple Employer Plans (Open MEPs), now referred to as Pooled Employer Plans (PEPs). Previously, “open” MEPs could cover multiple, unrelated employers, but all plans needed to file their own 5500s and were subject to the “one bad apple” rule which made them highly risky to sponsors. The SECURE Act introduced PEPs, which are essentially Open MEPs, but they can be offered to unrelated companies with only one 5500 filing and without the one bad apple rule. They must be serviced by a pooled plan provider (PPP). The PPP takes on the role of named fiduciary, plan administrator, and the organization responsible for performing all administrative duties.

PEPs also greatly reduce the plan administration lift through a single plan document, a single Form 5500 filing, and a single independent plan audit, all led by the PPP. They also have streamlined fiduciary oversight, minimizing the legal responsibilities a plan sponsor would need to manage. Finally, PEPs will likely appeal to those small employers who believe plans are too expensive and difficult to administer, and allow them to band with others to access an institutional quality infrastructure they’d otherwise have to build – and pay for – on their own.

What this means for advisors

Retirement plans are sold, not bought, so while new legislation was meant to address accessibility, that wasn’t necessarily the problem. Instead, the problem was around the complexity of plans and misinformation around the cost and time investment for small employers. That being said, just because the SECURE Act passed, does not mean companies are running to the gates – they need to be made aware of the improvements that were made. PEPs create an opportunity for advisors to market small plans in an entirely new way and alleviate concerns smaller companies have around the investment it takes to run a plan.

It’s also worth thinking about the opportunities PEPs create for those around you. This structure makes it easier for financial institutions outside of retirement – such as insurance and benefits providers, among others – to enter the market and cross-sell their existing services while gaining low priced access to the participant. To get a leg up, you may feel inclined to create your own offering, but standing up your own PEP is no small feat. It comes with significant expense and time. Partnering with a broker-dealer or recordkeeper, rather than trying to form your own, can be a more effective way to enter the market.

We also recommend thinking about other partnerships (payroll companies, associations, etc.) that offer marketing access to small businesses and still offer effective ways to scale through not only PEPs, but also traditional MEPs and even your own non-MEP solution. Check out our previous Vestwell U webinar on associations for help on how to tap into this market or our session on traditional MEPs if you’re looking for more information on how they operate.

That being said, just because PEPs are now easier, doesn’t mean they’re always the right option. You can often replicate the same benefits around price and administrative lift elsewhere. There are already a number of recordkeepers offering similar low cost, institutional pricing, and in some senses, you can provide the same value without waiting for 2021 or putting in the investment of standing up a new initiative.

Trend #2: Continued Industry Consolidation 

It’s no secret there has been major consolidation across the retirement industry, from recordkeepers, to TPAs, to advisory firms and beyond. Just last year the RIA industry underwent record M&A activity for the 7th year straight and recordkeepers have consolidated  from more than 400 just a decade ago to about 160 in 2018. We anticipate this continuing since recordkeeping is a relatively undifferentiated product in an industry with high barriers of entry. Consolidation also helps providers combat the significant drop in participant fees over the past 10-15 years. As recordkeepers take advantage of economies of scale, they can invest in better technology, cut costs, and drive additional revenue through other products such as managed accounts.

What this means for advisors

Consolidation is helping RIAs and recordkeepers not only build out their offerings, but it’s also putting them in more direct competition with one another. For example, large RIAs such as Pensionmark now have participant call centers, among other services, that were traditionally only offered by the recordkeeper. Recordkeepers, on the other hand, are encroaching upon core competencies of the advisor by becoming more participant focused, often in the hopes of competing for the wealth business on the back end.

To combat the heightened competition, advisors should consider the long term nature of their recordkeeper partnerships. There is already a growing fear among advisors that occurs when they move clients to a recordkeeper whose competencies overlap with their own or who is competing with them for wealth business on the back end. There is also increasing frustration around recordkeepers refusing access to participant level data, so it’s important to take your own business plan into consideration when determining where to place your clients’ plans.

Trend # 3: Increased Attention on Managed Accounts

401(k) managed accounts have become more and more popular over the past 5-10 years with the amount of money in these accounts increasing from about $100 billion in 2012 to over $270 billion in 2017. The trend of managed accounts is likely driven by two currents: 1)  Fee compression, as these products are a way for advisors to charge (and justify) higher fees and 2) Growing frustration around the stagnant nature, and ongoing conflicts, in current offerings including target date funds.

What this means for advisors

If you don’t have a point-of-view or an articulated solution for a more customized investment structure for participants (ie. a managed account), it’s important to start thinking about one. Aside from fiduciary risk, which leaves you and your plan sponsor vulnerable, it creates a real opportunity to get closer to the participant. That being said, while managed accounts give advisors a better tool to assess appropriate risk for clients, that doesn’t mean they are right for everyone. Target dates funds (TDFs) will likely suffice for most participants under the age of 50 unless they have a lot of investable assets. For those over the age of 50, we recommend implementing a “QDIA 2.0,” to auto-enroll clients into managed accounts which will offer them a more customized approach as they near retirement. Without making managed accounts a QDIA, adoption will be tough.

Looking ahead

For a notoriously slow-moving industry, these trends signal that changes are underway. Better yet, several of the trends are aimed at improving things for sponsors and participants. With PEPs, reduced administration and liability make balancing a plan while running a business more manageable. When it comes to industry consolidation, lower fees and better technology mean participants have more money going into their accounts while gaining access to a better experience. As for managed accounts, greater access to a customized approach can help those nearing retirement feel more comfortable with their investments. In turn, these trends help advisors to more strategically align with their client’s needs and market around them. As you build your 2020 plan, it’s important to maintain a pulse on the direction of the market and continue to flex your strategy in a way that best aligns your vision to the needs of your clients.



President Signs SHRM-Backed Measures that Include Cadillac Tax Repeal

By Stephen Miller, CEBS

Congress overwhelmingly passed and President Donald Trump has signed into law an end-of-year spending bill and a companion tax extenders measure that contain several agenda items championed by the Society for Human Resource Management (SHRM), including full repeal of the so-called Cadillac tax on high-cost health plans. The SECURE Act, a measure to promote savings by easing compliance burdens on defined-contribution and defined-benefit retirement plans, was attached to the appropriations bill.

Read More

SECURE Act Alters 401(k) Compliance Landscape

By Stephen Miller, CEBS

President Donald Trump on Dec. 20, 2019, signed into law the Setting Every Community Up for Retirement Enhancement (SECURE) Act, a bill to help employers create and run retirement plans for workers. The Society for Human Resource Management (SHRM) strongly backed the measure, which the House first passed in May and the Senate approved on Dec. 19 as part of a year-end appropriations package.

Read More

Why Does the Plaid Acquisition by Visa Matter?

By Aaron Schumm, Founder & CEO, Vestwell

Old meets new: How Visa’s acquisition of Plaid validates high demand for modern infrastructure across financial services

The financial services industry has been hindered by years of precedent – antiquated technology, safeguarded data, and closed systems. Yet Visa’s recent acquisition of Plaid sheds light on what’s to come. Visa didn’t acquire Plaid for its revenue (estimated at around $150 million and having contributed only 30-40bps of net revenue growth in 2020), but for its access within a modern infrastructure. Some might say that Plaid is purely defined by access. Its central offering is the ability to connect different applications in a way that makes the flow of everything from data to money a seamless experience. Through an infrastructure that can flexibly work with financial institutions in a modernized fashion, Plaid sets the stage for bringing Visa’s tools and services to life across the customer journey.

You don’t have to go out with the old to come in with the new.

Today’s modern tech stacks allow for more flexible, configurable, and efficient systems, which is why we saw over $128 billion in fintech acquisitions in 2019. Being the engine is a powerful way to build a business that scales, especially in the aging financial services market. In a world where consumers are taking a more holistic view of their financial wellness, connectivity becomes a critical factor across the thousands of providers in the ecosystem. Providers hoping to service these consumers, especially those built on older systems, must look outside their institutions and think strategically about how to best support the end-user.

So why is this important? Because having the right infrastructure in place has significant downstream implications. Traditional financial institutions cannot merely scrap their infrastructure and start fresh. Working within a legacy ecosystem, while modernizing the core of data movement and connectivity, is powerful.

Just as Visa is leveraging the Plaid acquisition to gain better connectivity, data, and access, so can these same benefits be realized in other markets. We see it happening on the payments side with Stripe as well as in the retirement space. In each, traditional providers are working off antiquated technology that wasn’t built to talk to anything else, yet the provider and the consumer can’t make proper, big financial decisions without modern structures in place.

Engines scale, vanity wanes.

Building a B2C business is always attractive… at first. It’s the idea of “what if we created and became the next [fill in the industry-leading brand name here]?”. But in financial services – an industry touching the 2nd-most sensitive thing in someone’s life, behind family – building a brand that one can truly trust is expensive.

There will not be one winner in a free market Finserv/Fintech industry, but there will be clear leaders. And those leaders will not be dethroned easily. This creates an even more attractive case to power the established leaders, enhancing areas of weakness, and emphasizing those of strength through modernization.

Better data yields, better experiences.

The banking, wealth, and retirement worlds have been reticent about providing data across partners. This is partly a business play, and partially a gap in capability. However, in a day and age where information is often readily available and where AI facilitates smart decisions, opening up clean data can be powerful in helping users make better decisions and, ultimately, enjoy a better user experience. Visa, for example, will now know not only transaction patterns and cash flow, but also a consumer’s assets and liabilities, so they can better offset risk and cash flow. They’ll also be able to tie in any applications and services that align to specific user needs.

Allow others to do what they do best and connect the rest.

It’s difficult to be all things to all people. Leveraging open architecture will drive efficiency. While M&A gives companies the ability to grow or streamline capabilities, there are always going to be competencies best left to someone else. Putting the infrastructure in place to take advantage of user synergies can significantly enhance the user experience. For example, eliminating multiple logins, ensuring consistency of data, and reducing bottlenecks, will save time and, ultimately, money, while a customized user experience will create retention.

Everyone wants to own the (extensive) participant journey.

Many in financial services find themselves embroiled in a space race to own the participant journey. In retirement, there’s an appetite for managing everything from benefits and wellness to managed accounts and lifetime income. In payments, it’s purchases and cash flow to assets and liabilities. Yet legacy technology inhibits integration, scale, and data. Plaid is an enabler for greater access, and this recent acquisition highlights how today’s modern mainstream will power financial services into the next chapter.

About Vestwell.

Vestwell is a digital retirement platform that makes it easier to offer and administer plans. By combining advanced technology with a human approach, we remove traditional friction points related to onboarding, management, administration, pricing, and compliance. The result is an unconflicted and customizable offering that provides a modern experience for all involved. Read more at

Cyber (In)Security: Why Retirement Plans Are at Risk and How to Protect Them

With 401(k) plans holding trillions of dollars in assets — along with personal information such as social security numbers, bank account information, and more — it’s no wonder they’ve been subject to recent cyberattacks. As fiduciaries, advisors and plan sponsors are wondering what exactly they are liable for and how to protect their plans. Vestwell’s December 18 panel, featuring cybersecurity expert Joe Pampel and retirement law expert Jason C. Roberts, explored this very topic.

What are fiduciaries liable for?

As of now, ERISA and relevant case law are silent about the extent to which fiduciaries are liable for data security violations, though there are numerous state and federal law theories that may hold them liable for a variety of monetary damages. As the law in this area evolves, the following legal principles are becoming well-settled:

  1. Protect plan data. Plan fiduciaries are required to protect all plan assets. Although it is unclear whether participant data is considered a “plan asset,” fiduciaries should be cautious and take reasonable steps to keep sensitive plan data out of criminals’ hands.
  2. Vet service providers. Fiduciaries must prudently select service providers, such as their payroll vendor and recordkeeper. Part of selecting these vendors is asking about how they protect participants’ personal information and understanding their overall security procedures.
  3. Ensure other fiduciaries don’t breach their duties and take steps to remedy any known breach. This is a mouthful, but it simply means that advisors and plan sponsors should make sure other fiduciaries fulfill their duties and, if there is a security breach, take the necessary remediation actions, which may include replacing the service provider.
Selecting the right providers

We’ve already addressed how plan fiduciaries are responsible for vetting their service providers, and since cybersecurity is a critical part of the selection process, it’s important to ask the right questions.

  1. How do they manage data? This can be as simple as asking providers how information flows into and out of the recordkeeping system and who has access to personal information. Ask if the data is stored in the United States or abroad and how they back data up, such as whether it’s stored on backup tapes or in the cloud. Ask about the vendor’s background screening of its employees and how often those checks are updated.
  2. Do they offer contractual protections? Plan fiduciaries should include contractual protections to hold third parties liable for security breaches. This can include things such as requiring the provider to notify you within a few days of discovering a data incident as well as verifying sufficient cybersecurity insurance coverage.
  3. Have they had any historical breaches? In addition to asking providers what steps they are currently taking to prevent attacks, ask them about any breaches they have had in the past, how they were resolved, and how often they undergo security audits. Also ask these questions of any subcontractors they use, as those are often overlooked in the vetting process.
Protecting your own business

In addition to selecting secure vendors, plan sponsors should also make sure they are taking necessary steps to protect their own plans by:

  1. Getting insurance. Just like third party vendors, sponsors can and should obtain cybersecurity insurance to help protect assets in case of a breach of its own security systems.
  2. Monitoring plan statements. Sponsors should review plan activities such as unusual and/or large withdrawals, and educate participants to do the same.
  3. Ensuring data security. Just as one would ask a service provider about its processes, it’s important to understand how sensitive data is shared internally. Sponsors should restrict access to only those employees who need it.
  4. Reviewing providers (at least) annually. Sponsors should use the steps above to analyze providers’ security practices at least once per year, if not more often.
  5. Educating employees. Employees should receive training at least annually on ways to mitigate the risk of a cyberattack. This includes things such as picking complicated passwords, implementing multi-factor authentication, monitoring account activity, and only accessing their plan on secure devices.

Although ERISA does not include any specific rules when it comes to cybersecurity, fiduciaries are responsible for protecting their retirement plans. From restricting access to plan data to properly vetting service providers, there are practical steps advisors, plan sponsors, and even participants can take to mitigate the risk of a cyberattack.