The SPARK Institute announced the development of industry best practices for how recordkeepers should report their cyber security capabilities to plan sponsors and plan consultants.
Last year, The SPARK Institute formed a Data Security Oversight Board (DSOB), comprised of both recordkeepers and members of the plan adviser community. “Our original focus was trying to create a data security standard that all industry players needed to meet. However, we quickly realized that one overarching standard was not only unattainable given the different security frameworks each recordkeeper uses, but also was bad security policy. If that one standard was breached then everyone’s systems would be at risk” says Doug Peterson, the chief risk officer for Empower Retirement and the chair of SPARK’s DSOB. “In the end, we chose to standardize how security capabilities are reported, so the plan sponsor would have a uniform way to better compare each vendor.”
When a member firm uses SPARK’s best practices to describe their overall data security capabilities they must use the 16 identified critical data security control objectives, defined by the DSOB. These best practices also require members to use an independent third-party auditor. Each audited report, regardless of the security framework used, must include a detailed report showing identified controls mapped to one of SPARK’s 16 control objectives.
“Cyber security is becoming a significant concern for everyone, especially plan sponsors. Plan sponsor governing bodies may not have cyber security expertise, and most plan sponsors outsource their recordkeeping, customer service and marketing services. So, the establishment of standardized reporting of best practices for cyber security with independent certification can be a great comfort and great assistance to plan sponsors” says Keith Overly, executive director of the State of Ohio’s Deferred Compensation Plan.