Cybersecurity poses strain between plan sponsors, record keepers

Vendors reluctant to provide details on cyberdefenses

Mar 23, 2019 @ 6:00 am

By Tim Rouse

Data security breaches are an unfortunate part of our increasingly digital world. For plan sponsors, this means a responsibility — a fiduciary obligation, some say — to ensure the protection of their employees' personal data. So plan sponsors ask the record keepers that administer employee benefit plans to prove their cybersecurity capabilities are capable and robust.

This naturally results in plan sponsors asking more questions regarding cybersecurity as they evaluate potential vendors. Plan sponsors want to know what firms are doing and want more transparency into how vendors prevent data breaches.

Gartner Inc. predicts that vendors will spend $124 billion on information security worldwide in 2019. According to Netscribes, a global market intelligence provider, the global spend for cybersecurity in the financial services market is expected to expand by 9.81% and top $43 billion by 2023.

Although vendors recognize the threat and are making the investments to protect data, tensions have grown between plan sponsors and plan administrators.

Two issues create the cybersecurity strain between plan sponsors and record keepers:

The proliferation of cybersecurity questions.If cybersecurity is a concern for advisers, it is understandable that they and their clients will ask a lot of questions. The number of unique cybersecurity questions plan sponsors ask their record keepers has risen from several dozen a decade ago to almost 1,500 today. The average record-keeper request for proposals has almost 300 questions dedicated to cybersecurity.

The intimacy of the cybersecurity questions. Not only are plan sponsors asking more questions, they are asking questions that record keepers regard as very sensitive, because the questions get at the core of how they defend against cyberattacks. Answering these questions could provide potential hackers with a road map into a vendor's system. As a result, vendors are refusing to answer such questions.

No disclosure

For example, advisers and clients almost certainly won't learn from most record keepers the areas where they're protected and where they fall short. Nor will record keepers disclose the products, processes or methods used to protect data. As a hacker, if I know these things, I have a head start on how to breach your defenses.

Record keepers also won't share data around penetration tests, which are intentional attacks on a system to learn where it might be vulnerable. Clearly, this is not information that can (or should) be disclosed, yet clients have requested these results in the past.

Policymakers are beginning to take more notice. The issue of cybersecurity in the retirement industry recently reached the attention of two members of Congress: Sen. Patty Murray, D-Wash., and Rep. Bobby Scott, D-Va. These lawmakers asked the Government Accountability Office to study cybersecurity for retirement plans and answer a series of questions related to how effectively plan sponsors are monitoring security of their plan's data. Many policy makers and regulators are beginning to view plan data as a plan asset that incurs all of the same fiduciary duties as other plan assets.

Clearly plan sponsors have a right and an obligation to check on the cybersecurity capabilities of their vendors, but vendors also need a certain level of secrecy around the means they employ to provide that security. If a vendor provides answers to sensitive security questions to one client or prospect, it would be unjust not to provide the same to all clients and prospects, great or small. Eventually this information would be disseminated to the point where it is public knowledge and ends up in the hands of cybercriminals.

Disconnect with clients

In short, there is a disconnect between what advisers and their clients want — even need — to know in order to carry out their fiduciary obligations, and what record keepers are willing to disclose.

To help solve this dilemma, the Spark Institute worked with record keepers and plan advisers to develop a new industry standard on how companies can communicate their data security capabilities in a reliable and consistent way.

The new standard consists of the 16 critical data control objectives most frequently cited by plan sponsors, including areas such as risk assessment and treatment, security policies, organizational security and asset management. The standard requires record keepers to use an independent third-party auditor to attest to the controls implemented.

For plan sponsors and their advisers looking to gauge a vendor's data security, the Spark standard provides a solid means to measure them. An adviser can request these reports from record keepers and compare one vendor to another in an apples-to-apples way.

Record keepers and plan advisers hope these new standards will enable plan sponsors to meet their fiduciary duty and better protect plan data from cybercriminals. The standards should encourage a virtuous cycle of constant improvement among record keepers, which will benefit the entire industry.

Tim Rouse is executive director of the Spark Institute.


What do you think?

View comments

Upcoming event

Nov 19


New York Women Adviser Summit

The InvestmentNews Women Adviser Summit, a one-day workshop now held in six cities due to popular demand, is uniquely designed for the sophisticated female adviser who wants to take her personal and professional self to the next level.... Learn more

Most watched


Young professionals see lots of opportunity to reinvent the advice experience

Members of the 2019 InvestmentNews class of 40 Under 40 have strategies to overcome the challenges of being young in a mature industry.


Young advisers envision a radically different business in five years

Fintech and sustainable investing are two factors being watched closely by some of the 2019 class of InvestmentNews' 40 Under 40.

Latest news & opinion

New Jersey fiduciary rule: Pressure leads to public hearing, comment deadline extension

Industry push results in chance to air grievances on July 17 and another month to present objections.

InvestmentNews' 2019 class of 40 Under 40

Our 40 Under 40 project, now in its sixth year, highlights young talent in the financial advice industry. These individuals illustrate the tremendous potential of those coming up in the profession. These stories will surprise, entertain, educate and inspire.

Galvin to propose fiduciary rule for Massachusetts brokers

The secretary of the commonwealth is proposing a fiduciary standard in response to an SEC investment-advice rule he views as too weak.

Summer reading recommendations from financial advisers

Here are some books that will keep you informed and entertained during summer's downtime

4 strategies for Roth conversions

There's never been a better time to do a Roth conversion, and here are several ways to go about it.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print