Dave Dyk
Meet our writer
Dave Dyk
VP of Risk & InfoSecurity, Betterment
Articles by Dave Dyk
-
The 401(k) security briefing your plan sponsors need
The 401(k) security briefing your plan sponsors need Jul 2, 2026 12:34:37 PM AI-enabled fraud is targeting retirement plans. Here's how advisors can help sponsors. Retirement plans are a high-value, low-vigilance target: big balances, infrequent logins, and multiple service provider touchpoints. AI has made the fraud landscape meaningfully worse in the last 18 months. This is the security briefing your plan sponsor clients probably haven't gotten yet. Why 401(k) plans are uniquely exposed Retirement assets sit at the intersection of everything fraudsters look for: They're often a participant's second-largest asset after their home, logins are infrequent enough that losses can go unnoticed for weeks, and money moves through a chain—advisor, sponsor, recordkeeper, TPA. Fraudsters may use publicly available information to target participants, plan sponsors, and advisors. Here are 7 steps you can take to help protect your clients' security. The 2026 threat landscape The human verification layer that we’ve relied on for so long is no longer reliable. As AI capabilities increase, fraudsters are finding ways to target retirement plans. One type of attack involves voice-based phone calls, where a fraudster convincingly imitates a person's voice using AI, a technique known as a deepfake. Fraudsters are also using deepfake video and increasingly targeted social engineering, where attackers research their victims in advance to make impersonation attempts more convincing. Worryingly, deepfake identity fraud is on track to surge nearly 500% over the course of 2026. What regulators now expect The Department of Labor has issued cybersecurity guidance for ERISA plans that sets a clear bar for what plan sponsors should look for from providers. Key requirements include a documented security program, controls that match today's threat environment—multi-factor authentication (MFA), active monitoring, encryption—diligence on third-party vendors, and an incident response plan that's actually been tested, not just written down and filed away. You can learn more about the DOL guidance and how Betterment addresses it here. Your plan sponsor clients may not know this guidance exists. That's an opening: Cyber diligence is now part of what it means to select a prudent provider, and advisors who can walk sponsors through that checklist are delivering real value. Practical protection for participants Most retirement-plan fraud doesn't come from databases getting breached. It comes from people getting tricked—a convincing phone call, a fake login page, a weeks-long relationship that turns out to be a scam. The basics go a long way: Turn on MFA—app-based, not just SMS. Use a password manager. Add a trusted contact to the account. Check the account balance and activity once a quarter. None of these are complicated, but few participants have done all four. If a participant's email gets compromised, here's the playbook to walk them through: Lock down access. Help them reset credentials to their email account, the plan portal, and any other financial institutions. Force a logout of all active sessions. Re-enroll MFA from a different device. If the attacker had access to the phone or computer the client normally uses, that device may still be compromised—and any new MFA factors enrolled on it could be captured too. Use a phone, tablet, or computer the attacker hasn't touched. Brand-new isn't required; just different. Audit the last 30–90 days. Look at distributions, loans, beneficiary designations, and address changes. Watch for rollover requests. They're the most common follow-on to an account takeover — flag anything that comes in shortly after. Document everything and notify the recordkeeper and the plan sponsor. The paper trail matters. How sponsor-level controls work A key control in managing a retirement plan is the application of access controls to ensure that high-risk activities are restricted to authorized parties. Roles such as advisors or plan sponsors may be established with some plan administration capabilities; however, transactions such as distributions, signer changes, plan amendments, and payroll-related changes require authentication directly from the plan sponsor. A forwarded email, even one that looks completely legitimate, does not authenticate a transaction. The reason the line is drawn there is to make social engineering hard. Fraudsters try to impersonate advisors, plan sponsors, and service providers. How to use this in your practice Security is a natural way to reopen a conversation with plan sponsors who haven't reviewed their provider in a while. The entry point isn't "you should switch providers"—it's "when was the last time anyone walked you through the cyber-diligence side of your plan?" Betterment's Trust Portal and the 401(k) security brochure give sponsors something concrete to work from. Both are available through your Client Success Manager or at trust.betterment.com. Ready to bring a sponsor into the conversation? If you already have an account with Betterment Advisor Solutions, use the Request a Proposal button in your advisor dashboard—it reaches the right team within one business day. If you or a plan sponsor that you support would like to access documentation to support due diligence activities, the Betterment trust portal can be used to access independent SOC audit reports, key policies, and other supporting documentation. If you're exploring offering a 401(k) with Betterment for the first time, learn more here. -
7 steps to protect your client’s security in the age of AI
7 steps to protect your client’s security in the age of AI Aug 22, 2025 12:05:30 PM Your clients entrust you with their most sensitive financial details. Protecting that information isn’t only a regulatory requirement—it’s essential to maintaining trust and differentiating your advice. Below are practical, actionable strategies you can implement—including a few that have been changing, as artificial intelligence has begun to change the threats that clients face. 1. Password managers and multi-factor authentication One of the most important things you can do to protect clients is to ensure that your team always uses password managers and multi-factor authentication. Multi‑factor authentication (MFA) is generally available in custody platforms (including Betterment Advisor Solutions), email, CRM systems, and any platforms that store sensitive data. It’s one of the most effective, low-cost defenses against account compromises. There is even a handy website that allows you to look up whether a particular platform supports this type of authentication. You can pair MFA with a password manager to ensure your team uses long, unique, and complex passwords for every account—without the burden of remembering them all. A password manager reduces the risk of password reuse, which is a common cause of breaches, and makes it easier to update credentials regularly. Because MFA and password managers are so important, it could be good to go beyond just your firm, and advise clients to make use of them as well. 2. Avoid social engineering—and AI-powered phishing Cybercriminals use phishing and other types of social engineering—through texts, emails, and even voice messages that mimic trusted contacts—to bypass controls from financial institutions. As artificial intelligence technology has become widespread, criminal actors are doubling down on the use of social engineering. They can even use AI voice or video deepfakes to mimic clients or custodians calling in with urgent instructions. As Sam Altman recently warned at a Federal Reserve event: “A thing that terrifies me is apparently there are still some financial institutions that will accept a voice print as authentication for you to move a lot of money or do something else.” He emphasized that “AI has fully defeated most of the ways that people authenticate currently – other than passwords.” To address this risk, it’s important for your firm to have multi-layered verification (e.g., callbacks to verified numbers, code words, or secure portal confirmations) rather than just relying on voice authentication. You may also work with your IT provider to schedule ongoing simulated phishing exercises for training purposes. Remind your team: AI makes impersonation more believable than ever. 3. Encrypt data in transit and at rest Ensure that client data is encrypted during storage and transmission. Start by ensuring that your key service providers have good encryption practices. For email communication that involves sensitive information, use secure client portals instead of email attachments. Also work with your IT provider to ensure that mobile devices and computers are fully encrypted (for example, by enabling BitLocker for Windows or FileVault for Mac); this will help ensure that if a device is lost or stolen, the data remains protected. Pairing encrypted storage with secure transmission methods ensures client information is safeguarded at multiple layers. 4. Scrutinize third-party vendors Many firms rely on outside vendors to manage parts of their business. That’s why financial regulators emphasize oversight of third-party security practices: Client data can still be at risk even if it’s stored by someone else. When vetting custodians, software providers, and other partners, confirm they implement robust security measures—encryption, access controls, incident response plans—and document your due diligence. Many businesses now host a Trust Portal (for example, the Betterment Trust Portal) where advisors can securely access independent audit reports, penetration test summaries, and other compliance materials. Leveraging these resources helps you demonstrate compliance with regulatory expectations while ensuring vendors meet your firm’s security standards. 5. Use AI for monitoring and fraud detection AI isn’t just a threat—it’s also a defense. Advisors can also work with their IT provider to deploy AI-enabled cybersecurity controls like endpoint detection and response (EDR) software, which continuously monitors laptops and other devices for suspicious behavior, such as unauthorized access attempts or malware activity. This adds another layer of proactive protection beyond traditional antivirus tools. To protect client accounts from fraud, platforms like ours flag unusual patterns that may indicate identity theft or other types of fraud, helping detect issues more effectively. Prioritize monitoring these alerts to help prevent fraud before your clients are impacted. 6. Stay current with patches and updates One important bit of security advice has not changed with AI: Unpatched software remains a prime vulnerability. You’ll want to ensure that you have effective processes in place across all systems—including operating systems, apps, and even office devices like printers—and enable automatic updates where possible. It’s also important to have a way to identify and measure the effectiveness of this process. Many IT service providers will use a vulnerability management scanner to identify any devices that have out-of-date software with security vulnerabilities. 7. Create an incident response plan No defense is foolproof. Get ahead of it, and prepare a written incident response plan, identifying roles, communication steps, client and regulator notifications, and recovery actions. Be sure to consider common types of incidents such as a compromise of your business email system, or a ransomware attack. One important consideration to respond to ransomware attacks is ensuring that your firm data is backed up in secure, separate locations. Then you’ll want to do a test run. Check your ability to restore backups, and host a tabletop simulation to clarify roles and responsibilities with your firm, IT service provider, and other business partners. Final thoughts In today’s landscape, protecting client data is essential—not optional. The rise of AI presents both risks (like deepfake impersonation) and opportunities (like monitoring tools). By prioritizing security, you will protect your firm and build trust with clients.

