Without sufficient protections, retirement plan participants and assets may be at risk from both internal and external cybersecurity threats, the Labor Department said in a news release. “This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combating cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats,” said Ali Khawar, acting assistant secretary for EBSA, in the news release.
Most record keepers should be comfortable with the Labor Department’s guidance because it aligns closely with the SPARK Institute’s standards, said Tim Rouse, Simsbury, Conn.-based executive director at SPARK, which represents retirement industry players such as record keepers, investment advisers, mutual fund companies and benefit consulting firms.
SPARK formed the Data Security Oversight Board, composed of industry stakeholders, that published a set of cybersecurity best practice standards in 2017.
Both the Labor Department guidance and the SPARK standards are built on two key principals to better assist the plan sponsor in fulfilling its cybersecurity fiduciary duty, Mr. Rouse said: the consumer should be provided standard cybersecurity information that can be used to compare service providers and basic cybersecurity information should be provided by trusted independent third-party auditors to ensure the integrity of all the data.
One thing Mr. Rouse would like the Labor Department to make clear to plan sponsors, though, is that the sharing of a penetration test — done to find vulnerabilities in a defense system — is unacceptable since it could contain a road map for bad actors. Instead, plan sponsors should be able to ask for and receive information on penetration tests, including how often they’re performed and by whom, and what the remediation policy is for fixing identified issues.
Also, plan sponsors should be clear what they mean by “breach” when contracting with service providers, Mr. Rouse said. Because of bots and automatic web requests, every system in the world is constantly experiencing some level of breach, he added.
“Most never arise to a level of severity that becomes meaningful to a consumer,” Mr. Rouse said. “Properly identifying the right level of severity acceptable to each plan sponsor is critical for this process to work effectively.”
originally appeared on Source link