CEFEX offers independent testing and certification for investment advisers, recordkeepers, administrators and managers serving as fiduciaries over client assets (see “A Designation with Fiduciary Muscle”). The firm says it developed the new data security requirements in response to the Security and Exchange Commission’s recently renewed effort to bring attention to cybersecurity (see “SEC Kicks Off Cybersecurity Assessment”). The goal is to help ensure that service providers understand the importance of data security and their responsibility when dealing with the privacy and safeguarding of client data.
“We believe that the protection of personal information lies within the fiduciary responsibilities of service providers,” explains Carlos Panksep, general manager of CEFEX. He says CEFEX hopes certified firms will soon be looked at as leaders in the industry when it comes to cybersecurity matters.
CEFEX assessments on investment advisers are performed according to the standards established in “Prudent Practices for Investment Advisors,” a set of guidelines published by fi360, Inc. For recordkeepers and administrators, CEFEX follows standards established in “The Standard of Practice for Retirement Plan Service Providers,” another set of guidelines published by the American Society for Pension Professionals and Actuaries (ASPPA).
These sets of standards require the protection of both assets and information by service providers, observes Brian Graff, chief executive officer and director of ASPPA.
“Retirement plan records and investments are often linked to personally identifiable information, so it’s imperative for service providers to adapt their systems accordingly as more and more retirement information is stored online,” Graff explains.
Full copies of the standards can be downloaded from CEFEX at www.cefex.org.