Skip to main content

You are here


SPARK Initiates Best Practices for Reporting Cybersecurity Capabilities

To help plan sponsors insure their employees’ data is protected within their retirement plan, new industry best practices for how recordkeepers should report their cybersecurity capabilities to plan sponsors and plan consultants have been developed by the SPARK Institute.

“For years plan sponsors relied on self-reported answers from recordkeepers about their cybersecurity capabilities. The problem with this process, beyond the self-reporting aspect, is that both the number of cybersecurity questions and the intimacy of those questions has dramatically increased over the years,” explains Tim Rouse, Executive Director of the SPARK Institute. Rouse notes that the answers to these questions typically get distributed through a vendor RFP process, raising concern that this information could end up in the wrong hands.

In response to this problem, SPARK formed a Data Security Oversight Board (DSOB), comprised of both recordkeepers and members of the plan consultant community in an effort to create a data security standard that all industry players need to meet.

The DSOB realized, however, that one overarching standard was not only unattainable given the different security frameworks each recordkeeper uses, but also was bad security policy. “If that one standard was breached then everyone’s systems would be at risk,” said Doug Peterson, Chief Risk Officer for Empower Retirement and Chair of SPARK’s DSOB.

As a result, the organization decided to standardize how security capabilities are reported, so the plan sponsor would have a uniform way to better compare each vendor, according to Peterson.

When a member firm uses SPARK’s best practices to describe their overall data security capabilities, it must use the 16 identified critical data security control objectives, defined by the DSOB, the announcement explains.

Members are also required under the best practices to use an independent third-party auditor. In addition, each audited report, regardless of the security framework used, must include a detailed report showing identified controls mapped to one of the 16 control objectives.