The SPARK Institute recently updated its Industry Best Practices for Cybersecurity and released a new Plan Sponsor & Advisor Guide to Cybersecurity to accompany it.
As part of its efforts to help strengthen cybersecurity throughout the retirement industry, the organization’s Data Security Oversight Board (DSOB) developed the data security best practices and 17 control objectives.
The intent of these standards is to establish a base of communications between recordkeepers and the public through third-party audits of cybersecurity control objectives. They are not intended to provide a recommended level of cyber protection or a guarantee against a data breach or loss, the guide notes.
According to SPARK, the 17 control objectives—which run the gamut from risk assessment and treatment to incident and event communications management—are consistent with and in alignment with the Department of Labor Cybersecurity Program Best Practices released last year. They also satisfy the requirements for Reliable Annual Third-Party Audit of Security Controls for recordkeepers.
When reviewing or selecting a recordkeeper, the guide recommends that plan sponsors and advisors should first request a copy of their cybersecurity reports for each of the 17 control objectives. The data provided in these reports should be the basis for evaluating a service provider's cybersecurity capabilities.
“Plan sponsors have an important role in working with service providers so that they have controls in place that are following cybersecurity best practices. The revised SPARK Data Security reporting standard helps in that regard,” said Dennis Lamm, Senior Vice President and head of Customer Protection at Fidelity Investments. “SPARK’s retirement industry cybersecurity leaders drew on their deep expertise in an unprecedented collaborative effort to come up with an action plan to help recordkeepers communicate the full capabilities of their cybersecurity systems to plan consultants, clients and prospects.”
“From recent surveys of members, all DSOB members developed controls that build on current industry guidance and practices in an effort to better protect retirement assets against criminal cyber activity and enable plan sponsors and advisors better manage their fiduciary responsibility,” added Tim Rouse, Executive Director of the SPARK Institute.