CyberSecurity and Artificial Intelligence: a 2022 Love Story for Plan Fiduciaries and Financial Advisors?

By shifting from a single shot strategy session to address trends and threats to a continuous learning one (by using AI), fiduciaries and financial advisors can more readily spot potential events or problems and respond to them more quickly.

2022 may be the year of Artificial Intelligence (AI) in retirement plans, but not because the AI market was expected to grow by more then 25% in 2021. Instead, AI may be a solid solution for advisors to ensure that plans they administer meet the Department of Labor’s new guidance or Best Practices on Cybersecurity.[1] Issued earlier this year, those best practices cover a range of topics. AI for investment management is expanding a rapid growth and happens to cover some of those same topics.

The ground AI is breaking in investing may be same that is covered in the 12 focus areas that plan fiduciaries must address in the DOL’s Best Practices. These focus areas include identification and prevention of risks and threats as well as education and communication of plans.[2] A deep dive into the recommended cybersecurity program includes details such as vulnerability and patch management and system, application and network security and monitoring, two areas where AI is expanding. Additionally, the best practices also recommend a prudent annual risk assessment that will, among other things, “Identify, assess, and document how identified cybersecurity risks or threats are evaluated and categorized; Establish criteria to evaluate the confidentiality, integrity, and availability of the information systems and nonpublic information, and document how existing controls address the identified risks; and Describe how the cybersecurity program will mitigate or accept the risks identified….”[3] These are areas where fiduciaries and financial advisors may want to look to AI programs to help achieve these goals.

Not all data management is AI. The difference between the two can explain how AI helps meet cybersecurity needs more than other data programs. As one expert said “AI systems are iterative and dynamic. They get smarter with the more data they analyze, they “learn” from experience, and they become increasingly capable and autonomous as they go. Data analytics (DA), on the other hand, is a static process that examines large data sets in order to draw conclusions about the information they contain with the aid of specialized systems and software. DA is neither iterative nor self-learning.”[4]

AI is expanding in the areas of increasing investments, rapid response and risk management[5] among other things. AI’s expansion falls along the idea of the flywheel. As one analyst summed it up: “The flywheel effect comes primarily from AI systems that perform well and then produce more data, helping the system continually improve its performance.”[6] That same expansion, of learning then learning from the learning, makes AI a partner that can help plan sponsors respond more quickly to events. By shifting from a single shot strategy session to address trends and threats to a continuous learning one (by using AI), plan sponsors can more readily spot potential events or problems and respond to them more quickly. Finally, over the last few years, AI has gotten better at helping plan sponsors with cybersecurity risk management. Investing and retirement planning involve massive amounts of that flows at a pretty good pace. Individuals, even highly trained cybersecurity professionals on their own may not be able to identify unknown threats or mitigate potential risks. But AI can help those cybersecurity professionals detect, identify and prevent risks.[7] According to some experts, “AI helps you assess systems quicker than cybersecurity personnel, thereby increasing your problem solving ability manifold. It identifies weak points in computer systems and business networks and helps businesses focus on important security tasks. That makes it possible to manage vulnerability and secure business systems in time.”[8]


[2] 1) Have a formal, well documented cybersecurity program. 2. Conduct prudent annual risk assessments. 3. Have a reliable annual third party audit of security controls. 4. Clearly define and assign information security roles and responsibilities. 5. Have strong access control procedures. 6. Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments. 7. Conduct periodic cybersecurity awareness training. 8. Implement and manage a secure system development life cycle (SDLC) program. 9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response. 10. Encrypt sensitive data, stored and in transit. 11. Implement strong technical controls in accordance with best security practices. 12. Appropriately respond to any past cybersecurity incidents.







These articles are prepared for general purposes and are not intended to provide advice or encourage specific behavior. Before taking any action, Advisors and Plan Sponsors should consult with their compliance, finance and legal teams.

Back to Blog

Latest Entries

Need a Proposal?

Before leaping into the unknown, we recommend a thorough examination of your plan. Because we are experts in the field, we know the marketplace and know what your existing vendor is capable of offering.  Through this examination, we can help you optimize the service you receive.

get xpress proposal