Cybersecurity poses strain between plan sponsors, record keepers

Vendors reluctant to provide details on cyberdefenses.

Data security breaches are an unfortunate part of our increasingly digital world. For plan sponsors, this means a responsibility — a fiduciary obligation, some say — to ensure the protection of their employees’ personal data. So plan sponsors ask the record keepers that administer employee benefit plans to prove their cybersecurity capabilities are capable and robust.

This naturally results in plan sponsors asking more questions regarding cybersecurity as they evaluate potential vendors. Plan sponsors want to know what firms are doing and want more transparency into how vendors prevent data breaches.

Gartner Inc. predicts that vendors will spend $124 billion on information security worldwide in 2019. According to Netscribes, a global market intelligence provider, the global spend for cybersecurity in the financial services market is expected to expand by 9.81% and top $43 billion by 2023.

Although vendors recognize the threat and are making the investments to protect data, tensions have grown between plan sponsors and plan administrators.

Two issues create the cybersecurity strain between plan sponsors and record keepers:

The proliferation of cybersecurity questions. If cybersecurity is a concern for advisers, it is understandable that they and their clients will ask a lot of questions. The number of unique cybersecurity questions plan sponsors ask their record keepers has risen from several dozen a decade ago to almost 1,500 today. The average record-keeper request for proposals has almost 300 questions dedicated to cybersecurity.

The intimacy of the cybersecurity questions. Not only are plan sponsors asking more questions, they are asking questions that record keepers regard as very sensitive, because the questions get at the core of how they defend against cyberattacks. Answering these questions could provide potential hackers with a road map into a vendor’s system. As a result, vendors are refusing to answer such questions.

No disclosure

For example, advisers and clients almost certainly won’t learn from most record keepers the areas where they’re protected and where they fall short. Nor will record keepers disclose the products, processes or methods used to protect data. As a hacker, if I know these things, I have a head start on how to breach your defenses.

Record keepers also won’t share data around penetration tests, which are intentional attacks on a system to learn where it might be vulnerable. Clearly, this is not information that can (or should) be disclosed, yet clients have requested these results in the past.

Policymakers are beginning to take more notice. The issue of cybersecurity in the retirement industry recently reached the attention of two members of Congress: Sen. Patty Murray, D-Wash., and Rep. Bobby Scott, D-Va. These lawmakers asked the Government Accountability Office to study cybersecurity for retirement plans and answer a series of questions related to how effectively plan sponsors are monitoring security of their plan’s data. Many policy makers and regulators are beginning to view plan data as a plan asset that incurs all of the same fiduciary duties as other plan assets.

Clearly plan sponsors have a right and an obligation to check on the cybersecurity capabilities of their vendors, but vendors also need a certain level of secrecy around the means they employ to provide that security. If a vendor provides answers to sensitive security questions to one client or prospect, it would be unjust not to provide the same to all clients and prospects, great or small. Eventually this information would be disseminated to the point where it is public knowledge and ends up in the hands of cybercriminals.

Disconnect with clients

In short, there is a disconnect between what advisers and their clients want — even need — to know in order to carry out their fiduciary obligations, and what record keepers are willing to disclose.

To help solve this dilemma, the Spark Institute worked with record keepers and plan advisers to develop a new industry standard on how companies can communicate their data security capabilities in a reliable and consistent way.

The new standard consists of the 16 critical data control objectives most frequently cited by plan sponsors, including areas such as risk assessment and treatment, security policies, organizational security and asset management. The standard requires record keepers to use an independent third-party auditor to attest to the controls implemented.

For plan sponsors and their advisers looking to gauge a vendor’s data security, the Spark standard provides a solid means to measure them. An adviser can request these reports from record keepers and compare one vendor to another in an apples-to-apples way.

Record keepers and plan advisers hope these new standards will enable plan sponsors to meet their fiduciary duty and better protect plan data from cybercriminals. The standards should encourage a virtuous cycle of constant improvement among record keepers, which will benefit the entire industry.

Tim Rouse is executive director of the Spark Institute.