Environment, social and governance proposals have captured many of the headlines recently but that’s not the only topic on which regulators are focusing. In March 2021, the U.S. Securities and Exchange Commission announced its 2021 examination priorities list and cybersecurity was on the list.
According to the SEC, it will review whether registrants have taken appropriate measures to safeguard customer accounts and prevent account intrusions; oversee vendors and service providers; address malicious email activities; respond to incidents; and manage operational risk resulting from work-at-home employees.
The Department of Labor also is focusing on cybersecurity for retirement plans. In April 2021, the agency issued three guidance documents for plan fiduciaries, including: “Tips for Hiring a Service Provider,” “Online Security Tips” and “Cybersecurity Program Best Practices.” The DOL guidance describes best practices for plan-service providers, but the agency doesn’t have the authority to regulate these providers, says Sarah Bassler Millar, an attorney and partner with Faegre Drinker Biddle & Reath LLP in Chicago. Consequently, the guidance for service providers is a way for the DOL to regulate fiduciary advisors without formally regulating them.
The DOL’s best practices guidance for services providers offer high-level advice that overlaps the SEC’s measures in several instances, such as:
- Have strong access control procedures;
- Ensure that any assets or data stored in a cloud or managed by a third-party servicer provider are subject to appropriate security reviews and independent security assessments;
- Appropriately respond to any cybersecurity incidents.
Serious Business
The agencies’ guidance is relatively generic. Nonetheless, the agencies are serious about enforcement, an attitude that creates both potential compliance challenges for advisors and plans but also service opportunities for plan advisors.
For example, in late August 2021, the SEC “sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm.” The SEC charged that the firms’ failures to sufficiently protect personnel’s cloud-based email accounts allowed the breaches and the firms’ responses to the breaches were inadequate. Beyond the reputational damage, failing to stop the breaches and respond properly proved expensive. Per the SEC’s press release: “The Cetera Entities will pay a $300,000 penalty, Cambridge will pay a $250,000 penalty, and KMS will pay a $200,000 penalty.” Ouch.
Plan sponsors also are seeing increased scrutiny. A recent Faegre Drinker webinar, Cybersecurity Under ERISA: What’s Next for Plan Sponsors and Fiduciaries?, noted that the DOL already is requesting information about plans’ cybersecurity practices. Among the questions and information requests the webinar presenters encountered:
- Do you have policies and procedures for how plan participants access information systems containing plan data? What are they?
- Do you have policies and procedures that set forth the security requirements for all service providers regarding protecting the plan data and assets from cybersecurity breaches?
- What criteria did you use to select the service provider? Did the criteria include cybersecurity for plan participants’ data and plan assets?
Bridging the Regs
The last point, selecting service providers, could present a value-add opportunity for advisors. Anecdotally, plan advisors tell me their smaller-plan clients often rely on them for a broader range of advice more than their larger-plan clients. That’s not surprising, given the greater resources typically available to larger plans. Allison Brecher, Vestwell’s general counsel and chief privacy officer, notes that regarding cybersecurity: “Plan sponsors, especially small businesses, aren't always knowledgeable enough about what questions to ask, how to interpret responses and how to measure potential service providers against each other.”
That situation creates an opportunity for advisors to “add a lot of value to the process by helping plan sponsors vet service providers,” Brecher says. “The DOL published a 12-point guidance list about what plan sponsors should look for in their service providers. Advisors can help them through that process.”
Implementing the SEC’s priorities and DOL’s best practices for fiduciaries in their own firms gives plan advisors first-hand cybersecurity experience. But that experience likely isn’t sufficient for most advisors to offer full-blown cybersecurity consulting. Carl Cadregari, executive vice president with the FoxPointe Solutions Information Risk Management division of the Bonadio Group in Rochester, N.Y., cautions that it is “rare that the plan sponsors and fiduciaries have the cybersecurity awareness required to navigate the very complex nature of the guidance and the overarching requirements for protections within their organization and with all the third-party administrators and vendors. It’s a highly complex and intertwined set of controls that may need consultation from and/or advice from a cybersecurity, data security, vendor risk management expert.”
Bassler Millar agrees there is a role for advisors to ensure their clients are aware of the new guidance and its implications. Advisors can also coordinate a review of a plan’s cybersecurity practices, but she echoes Cadregari’s caution. “The challenge is that to be effective in that role, advisors will want to educate themselves to some degree about cybersecurity terminology and standards,” Bassler Millar says. “And it may be appropriate to partner with experts or those who can do the heavy lifting on things reviewing SOC 2 reports to assess the extent to which a record-keeper or a trustee has appropriate cybersecurity practices in place.”