Department of Labor Provides
Cybersecurity Guidance

Meeting Fiduciary Duty, and Avoiding Incorrect Advice to Plan Sponsors

By Ben Taylor

Plan sponsors and fiduciaries have traditionally relied on advisers — from attorneys to accountants to investment consultants — to help guide decisions for their retirement plans. For decades, a cornerstone of this assistance has been making recommendations about retirement plan investment portfolios. With the rise of cyberattacks on financial institutions, a number of plan sponsors and their advisers have started to focus more time and resources on the security of their plan data, including the participant information held by service providers. The Department of Labor (DOL) also recognized the vulnerability of plans to cyberthreats and recently published three important documents:

• ONLINE SECURITY TIPS: A helpful guide for plan sponsors and participants on how to maintain strong cybersecurity hygiene.
• TIPS FOR HIRING A SERVICE PROVIDER: A buyers guide to assist plan sponsors.
• CYBERSECURITY PROGRAM BEST PRACTICES: 12 areas that plan sponsors should cover when addressing their cybersecurity programs.

These are helpful documents and important tools for plan sponsors to use when fulfilling their fiduciary duties. However, as plan advisers and attorneys have begun incorporating this guidance into the advice they provide their clients, they must be careful. While it is understandable that plan sponsors, prompted by advisers and attorneys, would want their service providers to provide more and better information, the absence of a basic understanding of cybersecurity could result in requests that could inadvertently create greater risks. Service providers recognize the right of plan sponsors to confirm that their participants’ data are protected, but have legitimate concerns that some of the information requested, if it becomes more widely available, could help cybercriminals breach systems, thus undermining that very security.

DOL’s New Guidance Consistent with SPARK’s Industry Standards

Several years ago, the need to bridge the gap between plan sponsors and vendors when communicating about cybersecurity had already become obvious. At that time, the retirement industry began to develop its own solutions by working with all stakeholders — service providers of all shapes and sizes, as well as plan sponsors, consultants, and plan attorneys. The SPARK Institute, an association representing recordkeepers, plan administrators, and plan consultants, formed a Data Security Oversight Board (DSOB) in 2016 with representatives from each stakeholder group, charged with presenting a solution for the challenge of verifying the cybersecurity capabilities of providers without revealing information that could help cybercriminals. (Callan, along with other large institutional investment consulting firms, is a member of this board.)

SPARK was pleased to see the solutions developed by its DSOB reflected in the Department of Labor’s new guidance in four key aspects:

1. Cybersecurity is a Shared Responsibility — Recordkeepers, plan sponsors, financial advisers, and participants all share a responsibility for protecting these critical savings accounts.
2. Cybersecurity Is a Fiduciary Duty­ — A point that many fiduciary experts always assumed, but this new guidance acknowledged, is that cybersecurity is a natural part of a fiduciary’s responsibility to oversee the plan’s service providers.
3. Standardized Cybersecurity Information — The consumer should receive standard cybersecurity information that can be used to compare service providers.
4. Information Has to Come from Independent Third Parties — Basic cybersecurity information should be validated by trusted independent third-party auditors to ensure the integrity of all information.

These four key points are the cornerstones of both SPARK’s standards and the Department’s new guidance. All plan sponsors have to be able to trust and rely upon service providers to maintain plan records and keep participant data confidential and secure. SPARK’s standards help build that trust and reliance. Plan sponsors should incorporate these standards as a first step in evaluating the cybersecurity capabilities of their vendors. These standards should be applied to all vendors that have access to Personally Identifiable Information (PII).

In most cases, SPARK’s categories match those of the Department of Labor’s guidance, one for one. In a few instances, SPARK’s standards break several of the Department’s categories into more than one. For two of the Department’s categories, SPARK’s standards do not have a control objective. In these two situations, the Department’s guidance match with the core principles of SPARK’s Best Practices. For example, an independent third-party audit is a category for the DOL, and is core to how SPARK members are asked to deliver on their Best Practices. The DOL’s guidance does not cover the topic or category of Mobile, but SPARK includes a category specific to mobile applications.

Both the SPARK standards and the guidance issued by the Department of Labor rely on the principles of trusted third-party attestations provided by an audit of the service provider and built on a consistent set of standards. Neither standard is a regulated solution, which gives industry members flexibility to use whatever data security frameworks they feel are most appropriate for their organizations. Yet, while providers are free under this potential solution to use frameworks of their choosing, the reporting of the controls used and how these controls were tested is designed to fit a uniform basic framework.

The Need to Avoid Inadvertently Creating Greater Cybersecurity Risks in Implementation

Plan sponsors commonly employ advisers to assist with fiduciary oversight tasks such as selecting funds, benchmarking fees, and choosing third-party vendors such as recordkeepers, trustees, and custodians. The vendor selection process is often led by investment consulting firms. The core competencies of these consulting firms are typically services such as asset allocation, capital markets research, investment manager selection, monitoring, and other affiliated services. For many of these firms, the optimal approach to conducting vendor due diligence on complex administrative tasks has been to rely on third parties — whether auditors, attorneys, or other services — to verify the accuracy and thoroughness of a vendor’s procedures. As defined contribution (DC) plans have grown to be a larger part of the marketplace, these consulting firms shifted focus from defined benefit (DB) to DC services, and that shift included developing the ability to select and monitor recordkeepers and custodians.

Until now, firms conducting most of the vendor search and due diligence services in the marketplace have not had a primary focus on matters such as cybersecurity, but leading-edge firms have been developing ways to help plan sponsors evaluate the cybersecurity protocols of their service providers and engage with recordkeepers to better understand their security postures. However, the process of assessing security can be complicated by an information cycle, which, if implemented incorrectly, could inadvertently increase — rather than decrease — cybersecurity risks.

Recordkeepers have significant incentives to reveal only a limited amount of information about their cyber defenses, because hackers can use extensive revelations to learn how to adapt their methods and avoid detection. This means that recordkeepers often respond rationally with only limited information about cyberattacks. This, in turn, causes some plan sponsors and consultants to react with renewed vigor in their efforts to confirm the adequacy of defenses, which can lead to either frustration or to recordkeepers complying with the requests, weakening their defenses.

How information is requested in three examples — penetration tests, breach notifications, and Service Organization Control (SOC) 2 reports (management reports created by a company’s auditing firm to provide insights into security, systems availability, processing integrity, confidentiality, and privacy of customer data) — illustrates the importance of understanding what must be done to avoid unintentionally creating additional risks.

Penetration Tests are requested from service providers by plan sponsors upon the instruction of their adviser firms and attorney. The penetration test is a list of known vulnerabilities and would be a gold mine to any criminal hacker intent on breaking into a firm’s systems. Those with a basic understanding of cybersecurity recognize that any firm releasing its penetration test to outsiders, even clients, is committing gross negligence. Some information related to penetration testing is valuable, and SPARK’s DSOB developed guidelines for this aspect of protecting data from cybersecurity risks (see SPARK Guidance for details).

Breach notifications are critical to any customer whose data have been stolen — but like the townspeople in the story of the boy who cried wolf, plan sponsors want to be alerted only when a threat is real. Asking a service provider to notify a plan sponsor of all breaches — depending on how these are defined — can have the destructive effect of inundating the sponsor with information and numbing it to real threats when they arise. It is critical to negotiate with service providers and correctly identify when a breach reaches a severity level that is important to the plan.

Finally, SOC 2 reports are a great resource for evaluating the security controls of a service provider. However, advisers who tell their clients to rely on SOC 2 reports are typically leaving them unprepared for the difficult task of comparing one firm’s SOC 2 with another. A SOC 2 is a complicated report. Comparisons become even harder when they involve more than one firm or are being made between firms in different markets. To simplify the comparison process, SPARK’s DSOB developed a streamlined report derived from the data in an SOC 2 and created by the same auditors that provided the SOC 2.

Conclusion

The Department of Labor’s recently published documents and focus on cybersecurity are helpful to plan sponsors and their advisers. SPARK’s Industry Best Practices for Cybersecurity align well with those of the Department of Labor’s guidance. However, it is also important for the broad members of the retirement industry to line up with an industry standard, because that is the best hope to meet our industry’s shared responsibility to protect the savings of millions of American workers.

SPARK’s Data Security Oversight Board and the standards they have created are the best means for the industry to meet this shared goal. Mixed messages or incorrectly structured data requests can lead to a counterproductive information cycle, which, in the end, would reduce our collective security rather than bolster it.

Ben Taylor is Senior Vice President and Head of Tax-exempt Defined Contribution (DC) Research at Callan, LLC, one of the largest independently owned investment consulting firms in the U.S. Based in Los Angeles, he leads research into public sector and nonprofit DC plans for the firm. He has served as the lead consultant to the DC plans of 13 states, and many large cities and universities. He is a Callan shareholder.

July 2021, 21-06