In April the Department of Labor’s Employee Benefits Security Administration released three publications that included cybersecurity best practices and hiring tips for plan fiduciaries, plan sponsors, record keepers and plan participants. It’s timely advice. The DOL estimates that defined benefit and defined contribution plans held $9.3 trillion in assets as of 2018. Those assets are a tempting target for thieves, as shown by the reports of retirement account balance thefts and resulting lawsuits that surfaced in 2020.
Overall, the DOL’s guidance was high-level. Meg Anderson, Vice President, Chief Information Security Officer for Principal, notes that leading industry retirement plan providers are already largely achieving the practices outlined in the guidance. In that sense, she notes, the guidelines are complementary to industry best practices and were anticipated and did not go into as much depth on participant actions as many in the industry expected.
Paul Perry, CPA, CITP, practice leader of the Security, Risk and Controls Group at CPA firm Warren Averett, agrees that the DOL’s guidance did not contain any surprises and that’s largely because cybersecurity controls are largely industry-agnostic, he said. Organizations try to understand where they are vulnerable to exposure, whether the organization is a plan or a third-party administrator (TPA).
Expertise Constraints
Some plan consultants work in larger organizations that have extensive internal cybersecurity resources. For example, Kristina Keck, vice-president of the Retirement Plan Services group with Woodruff Sawyer, said she can call on internal specialists to review prospective vendors’ data security arrangements during the request for proposal (RFP) phase; her firm also has a cyber liability insurance group.
But it’s more likely that smaller- and midsize plan consultants will lack internal access to that degree of cybersecurity expertise and that raises a challenge. How should such a consulting firm respond when plan sponsors ask what they need to do about the DOL’s guidance?
External Resources
Large firms can be a source of information for getting guidance to share with sponsors. Scott Witter, senior vice-president for AIG Retirement Services, said his company regularly has conversations with the consultant and plan advisor community to offer insight and help them provide the necessary support to their plans. “As an example, we created a guidebook that several consultant groups now use to understand the most important cybersecurity questions for an RFP process as well as how to assess the responses,” Witter noted.
Principal’s Anderson added consultants “certainly have an important role to play in cybersecurity and have options available to support them. These include educational materials to guide conversations, external parties to bolster their security expertise, or the decision to bring someone in-house,” she said. Organizations like the Cyber Readiness Institute provide free tools and resources to bolster small and medium-sized enterprises’ security efforts, Anderson adds.
Perry’s group at Warren Averett is another example of an external resource. Perry said TPAs often hire his firm to validate their controls for protecting clients’ (i.e., plan sponsors) data. These risk assessments can include System and Organization Control reports, which were developed by the American Institute of Certified Public Accountants (AICPA). According to the AICPA, those reports “are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”
The reports review “the security of an IT environment or the security posture of an organization,” said Perry. “Our team assists organizations in getting validation to the controls that they have in place that others may be relying on.”
Eric Droblyen, president and CEO of recordkeeping TPA Employee Fiduciary, said his company uses vendors’ security practices and technology to enhance his firm’s practices. For example, his firm has an application service provider (ASP) relationship with fintech provider FIS and Employee Fiduciary’s participant data is stored on FIS servers. Using FIS’s SOC reports and other provided reports also makes it easier for Droblyen to respond to inquiries about his company’s security practices.
Opportunities
Although most plan advisors can’t provide high-level cybersecurity consulting or issue SOCs, they can still help plans improve and review their methods. For instance, many small- to midsize plan sponsors will want assistance in developing security-focused RFP questions and in reviewing vendors’ responses. The DOL’s “Tips for Hiring a Service Provider with Strong Cybersecurity Practices” is a logical starting place in developing the RFP questions.
Educating plan participants along the lines of the DOL’s “Online Security Tips” would appear to be another potential value-added service because poor personal security practices can undermine the technology. “Cybersecurity is a people problem--it's not a technology problem,” said Perry.