It’s no longer a question of if a retirement plan will be targeted by cybercriminals, but when. With vast amounts of sensitive personal data and trillions of dollars in retirement assets flowing through recordkeepers, custodians, and plan sponsors, these systems have become prime targets for increasingly sophisticated attacks. A single breach can devastate participant trust, trigger costly litigation, and put fiduciaries under the microscope of regulators. That’s why the Department of Labor has made cybersecurity a clear fiduciary obligation, not just an IT concern. For plan sponsors, the responsibility now extends beyond ensuring their own systems are secure—they must also verify that every vendor touching the plan, from recordkeepers to advisors, has the policies, audits, and protections in place to safeguard participant assets.
Against this backdrop, Fred Barstein, founder and CEO of TPSU and 401KTV, interviewed Robert Massa, Managing Director of Prime Capital Investment Advisors, following a TPSU program at Rice University in Houston. Massa, whose firm specializes in ERISA and non-ERISA retirement plans as well as wealth management, discussed the most common mistakes plan sponsors make—particularly the lack of attention to fiduciary responsibilities and cybersecurity.
Massa explained that while understanding the duties of prudence and loyalty is critical, cybersecurity has become one of the most urgent fiduciary priorities. He noted that many employers overlook extending corporate cyber policies to their retirement plans or fail to verify that vendors are meeting compliance standards. He stressed the importance of reviewing SOC audits, ensuring proper cyber insurance coverage, and educating participants on protecting their own accounts. Massa emphasized that being hacked is not a matter of “if” but “when,” and what truly matters is how plan sponsors and their vendors respond when breaches occur. Clear vendor policies and participant protections are essential to safeguarding both assets and trust.
Read the Full Transcript Here:
Fred Barstein:
Greetings. This is Fred Barstein, founder and CEO of TPSU and 401K TV. Just completed a program at Rice University in Houston. I’m here with Robert Massa. Welcome, Robert.
Robert Massa:
Thank you, Fred. It’s good to be here.
Fred Barstein:
Okay if we ask you a few questions?
Robert Massa:
Absolutely.
Fred Barstein:
Okay. Before we do, tell us a little bit about yourself and your firm.
Robert Massa:
I’m the managing director of Prime Capital Investment Advisors here in Houston. We are specialists in ERISA plans. We also do wealth management. We’re specialists in ERISA plans and non ERISA plans, both defined contribution and defined benefit plans, and even ESOP. So spent a lot of time in all of those.
Fred Barstein:
So today you talked about the 11 biggest mistakes that plan sponsors make or don’t do right. What’s your favorite?
Robert Massa:
Well, of course, first and foremost, it is making sure that they understand the responsibilities of being a plan fiduciary, understanding the duty of prudence and understanding the duty of loyalty. But specifically, I get very passionate about cybersecurity. I was probably one of the first people to be screaming about cybersecurity before it was cool. The Department of Labor, as you know, came out with a set of guidelines about things that you need to be doing in regards to cybersecurity and how you protect the plan and the participants. They don’t do that just willy-nilly. They’ve only done it a few times, such as with target dates.
And so this is obviously an important focus for them, and it should be a focus for all employers to make sure that they understand what’s going on with their vendors and their own corporations and their participants to make sure the plan’s protected and the asset’s protected.
Fred Barstein:
So what’s the biggest mistake or the thing that plan sponsors don’t do right, in your opinion, around cybersecurity?
Robert Massa:
I think first of all, it’s not understanding exactly what they need to be doing. In other words, do they have the right cyber policies and making sure they extend it to their plan itself. So the new corporations have cyber and cyber policy, but they don’t think about how that affects their plan. And then making sure that their vendors, whatever it is, that they are also cyber compliant. Getting SOC audits and reading those SOC audits and making sure that they have the right insurance protection as well to protect the plan and participants. And of course, educating the participants on their responsibilities to protect their assets.
Fred Barstein:
Right. Because it’s not a question of whether you’re going to get hacked, it’s when and how bad it is, and that’s where you’re record keeper.
Robert Massa:
Absolutely. You know what? I said this before, and I’ll say it again. I don’t get upset when people get hacked. As long as they’re trying and doing everything they can do to protect them, we’re all going to get hacked at some point. It’s how you respond I think that matters these days. And you don’t want to be on the sidelines. You want to know what your vendors are up to. You want to make sure they’re protected, and you want to make sure what is their policy if an account is attacked or stolen and money is missing, exactly how are the participants protected.
Fred Barstein:
Final question. This was your first TPSU event. In your opinion, why should a plan sponsor come to an event like this?
Robert Massa:
There is no way that a plan sponsor can possibly get enough fiduciary education. They really can’t. And an event like this really gives them this incredible in-depth opportunity to get immersed in the fiduciary topics that maybe committee meetings are an hour or two hours. You cannot possibly get this much fiduciary education all at once. And the opportunity to talk to peers as well, not just professionals, but other peers, and share their stories and the things that they’re experiencing, it’s just incredibly invaluable for a plan sponsor of any kind.
Fred Barstein:
Great. Well, thanks for your time today. Thanks for being an adjunct lecturer. And thank you for watching TPSU. Please look out for a program or 401K TV and look out for a TPSU program near you.
