Recordkeepers and retirement industry consultants are banding together to beef up cybersecurity.
Collaborative effort between recordkeepers and consultants leads to updated Data Security Best Practices and new Plan Sponsor & Advisor Guide to Cybersecurity to strengthen the retirement industry’s defenses against cyber criminals.
Developed by its Data Security Oversight Board (DSOB), SPARK’s Data Security Best Practices and 17 Control Objectives establish a base of communications between recordkeepers and the public through third-party audits of cybersecurity Control Objectives. This is the latest milestone in the SPARK Institute’s ongoing effort to strengthen cybersecurity throughout the retirement industry.
“SPARK’s retirement industry cybersecurity leaders drew on their deep expertise in an unprecedented collaborative effort to come up with an action plan to help recordkeepers communicate the full capabilities of their cybersecurity systems to plan consultants, clients and prospects.”
Dennis Lamm
“Plan sponsors have an important role in working with service providers so that they have controls in place that are following cybersecurity best practices. The revised SPARK Data Security reporting standards help in that regard,” said Dennis Lamm, Senior Vice President/Head, Customer Protection at Fidelity Investments and a member of SPARK’s DSOB. “SPARK’s retirement industry cybersecurity leaders drew on their deep expertise in an unprecedented collaborative effort to come up with an action plan to help recordkeepers communicate the full capabilities of their cybersecurity systems to plan consultants, clients and prospects.”
While recordkeepers compete against each other in many areas, cybersecurity isn’t one of them. SPARK Institute Executive Director Tim Rouse told 401k Specialist that collaboration is essential to battle the bad guys.
“This group’s been together for 7 years now, and they recognized early on that they don’t compete on cybersecurity. A breach of any one member is reputational damage to all members,” Rouse said. “Working together is a necessity. The bad guys work together and it’s incumbent really on industry members to work together.”
Rouse noted that the 17 Control Objectives are consistent with and in alignment with the Department of Labor Cybersecurity Program Best Practices released last year. “They also satisfy the requirements for Reliable Annual Third-Party Audit of Security Controls for recordkeepers,” Rouse added. “In addition, from recent surveys, we know that SPARK members already have strong cybersecurity controls in place. The DSOB consolidated these current industry practices into its Best Practices for Cybersecurity to further protect retirement assets against criminal cyber activity and enable plan sponsors and advisors to better manage their fiduciary responsibilities,” he concluded.
Among what’s new is the addition of an additional Control Objective. “We added one new category around ransomware. It really needed to be brought out separately,” Rouse said.
Rouse noted that the SPARK Institute’s work in developing cybersecurity standards continues to play an instrumental role in helping the Department of Labor develop and release best practices standards, as was the case when the DOL released its cybersecurity standards just over a year ago.
The DSOB consists of 41 members, including chief information security officers or chief risk officers from all of the major recordkeepers. The board also includes representatives from industry consultants including Callan, Siegal, Willis Towers Watson and others.
“We did that intentionally when we started this group,” Rouse said of the mix of recordkeepers and consultants. “Because they really act as the watchdogs if you will. We didn’t want this to be simply a ‘check the box.’ We wanted it to be meaningful so the plan sponsors and advisors that are depending on these standards can rely on them.”
Rouse said the cybersecurity standards will continue to be updated as developments warrant, and they build on standards created around fraud and fraud prevention.
“When it comes to cybersecurity, it’s intended to be the beginning point. It’s intended to provide plan sponsors advisors and consumers the basic information that they need to begin to do their evaluations around cybersecurity,” Rouse said.
The new updates can be found here on the SPARK Institute website.
The SPARK Institute is a member-driven, non-profit organization and leading voice in Washington, D.C. for the retirement industry. SPARK helps shape national retirement policy by developing and advancing positions on critical issues that affect plan sponsors, participants, service providers, and investment providers. Collectively SPARK Institute’s members serve approximately 100 million participants in 401k and other defined contribution plans.
SEE ALSO:
• 3 Critical Cybersecurity Issues Advisors Should Know About
• Cybersecurity Due Diligence Key to Minimizing 401k Reputational Risk
• Cybersecurity A Major SEC Focus in 2022: Wagner Law Group
Veteran financial services industry journalist Brian Anderson joined 401(k) Specialist as Managing Editor in January 2019. He has led editorial content for a variety of well-known properties including Insurance Forums, Life Insurance Selling, National Underwriter Life & Health, and Senior Market Advisor. He has always maintained a focus on providing readers with timely, useful information intended to help them build their business.
