Your Clients’ Cybersecurity Concerns
Art by Lily Padula
As more cybersecurity attacks are reported about in the media, it is an issue at the top of many minds in the retirement industry.
In 2018, the ERISA Advisory Council asked the Department of Labor (DOL) to provide guidance on how plan sponsors should evaluate the cybersecurity risks they face and to require them to be familiar with the various security frameworks used to protect data, as well as to build a cybersecurity process. Earlier this year, lawmakers sent a letter to the Government Accountability Office (GAO) asking it to examine cybersecurity in the U.S. retirement system. The letter identifies 10 questions the lawmakers would like the GAO to answer, following its examination.
Even as the issue evolves, there are some practical steps retirement plan providers are taking to relieve retirement plan sponsors’ worries about the risk of cybersecurity threats to participant accounts. According to Wendy Carter, vice president and defined contribution director in Segal’s Washington, D.C. office, and a vice-chair of the Data Security Oversight Board for The SPARK Institute, all companies have insurance to make participants whole if their account balances are accessed and taken.
Allison Itami, principal with Groom Law Group in Washington, D.C., and co-author of a white paper issued by the Pension Research Council and The Wharton School, University of Pennsylvania, says cybersecurity insurance is an evolving area—a growth opportunity for insurers. Plan sponsors’ errors and omissions (E&O) insurance provider may have it, but they may need to find a specialist broker to help find it.
Plan advisers can help in this area as well. But, mainly advisers help plan sponsors with cybersecurity concerns by including questions about cybersecurity practices in requests for proposals (RFPs) issued to providers. However, Carter notes, providers are concerned about providing information about their cybersecurity practices, and that their efforts would be for naught because hackers could get access to the information they reveal.
Framework to help evaluate cybersecurity processes of providers
These concerns are why The SPARK Institute came up with a framework for cybersecurity disclosure by plan providers. It includes 16 identified critical data security control objectives, and requires plan providers to use an independent third-party auditor. According to the white paper co-authored by Itami, each audited report, regardless of the security framework used, must include a detailed report showing identified controls mapped to one of SPARK’s 16 control objectives.
Those 16 control objectives are:
- Risk assessment and treatment;
- Security policy;
- Organizational security;
- Asset management;
- Human resource security;
- Physical and environmental security;
- Communications and operations management;
- Access control;
- Information systems acquisition development;
- Incident and communications management;
- Business resiliency;
- Compliance;
- Mobile;
- Encryption;
- Supplier risk; and
- Cloud security.
Itami explains that the framework is trying to reach the goal of providing a format for plan sponsors to look at different providers and compare apples to apples. “A plan sponsor can take the approach of asking the 16 questions, but that is not efficient, and they might run into resistance about giving detailed information that could be used by hackers,” she says.
With the SPARK framework, an outside auditor will write a report analyzing how recordkeepers address the 16 controls. “They will lay out a provider’s process without going into details. For example, the report may say, Provider A uses X encryption,” Itami says.
She adds that the report shows a provider has something in place and whether it looks rigorous or not.
Carter says the auditor’s report will also identify whether any issues have come up with a provider, whether it was a significant risk and whether it has been corrected.
At the time the framework was being developed, Mike Volo, senior partner at Cammack Retirement Group in Wellesley, Massachusetts, and a participant on SPARK’s Data Security Oversight Board, said, “We are experts in retirement plans and investments, not in data security. I think with this Common Certification Criteria, as we do RFP searches, having the certification will be a requirement. It will streamline our RFP process.”
Itami says in RFPs, advisers can ask prospective providers whether they have had an independent audit of cyber controls and to see the report. If they don’t have one, the adviser can ask for one.
When an adviser is asked about cybersecurity controls
Segal has an investment advisory business and, according to Carter, most of what it sees in RFPs regarding cybersecurity is a request for its data intake and management protocols.
While the SPARK solution is for recordkeepers, advisers concerned about revealing confidential business practices may consider a similar audit report to provide plan sponsors.
Carter adds that as part of its cybersecurity best practices, Segal’s investment advisory business doesn’t maintain any participant information.
A post from Joseph J. Lazzarotti, a principal at law firm Jackson Lewis, says B.C. Pension Corporation announced a data breach involving pension plan records after discovering a box containing microfiche could not be found following a recent office move. The box contained personal information (names, Social Security numbers and dates of birth) on approximately 8,000 pension plan participants. The company employed those participants during the period 1982 to 1997.
He noted that ERISA includes specific record retention requirements, but he cited a 2016 ERISA Advisory Council report of considerations for the DOL, which said plan sponsors and service providers should:
- Retain only the data that is needed; if certain data elements can be redacted, remove them;
- Maintain an inventory of records that are retained regardless of format, and where to find them;
- Outline a clear process for moving records, and track location and inventory during the move; and
- Delete records that are no longer needed; confirm service providers have done so, as applicable.