Not a Cybersecurity Expert? No Problem

In April 2021, the Department of Labor’s Employee Benefits Security Administration issued “Tips for Hiring a Service Provider with Strong Cybersecurity Practices.” The publication provided guidance on cybersecurity best practices to “help business owners and fiduciaries meet their responsibilities under ERISA to prudently select and monitor such service providers.”

Implementing the tips’ high-level guidance can create several challenges. For example, the first tip tells sponsors to ask vendors about their audit results, security standards, practices and policies, and then to compare those findings with financial industry standards. But plan sponsors are not typically experts at cybersecurity in the same way they are not experts on investment funds or various other things, according to Ray Conley, CEO of Jackson, Wyoming-based Benetic, Inc., an online marketplace for retirement advisers and service providers. That lack of expertise creates a need to hire consultants and other cybersecurity experts, as it does with a plan’s investments, Conley says.

Another challenge is the retirement industry’s unique complexity and the interdependency of various vendors. Conley cites plans’ multiple relationships with recordkeepers, custodians and trustees, third-party administrators and payroll providers as examples.

“They’re all sharing personally identifiable information [and] financial information, and at every point that there’s an interface, that introduces risk,” he says.

Most cybersecurity rating services are not focused on the retirement industry, says Conley. “They just look at one company or they’ll call it maybe supply chain risks,” he says. “But this is different than a supply chain. This is a synthesis of a bunch of service providers working together. Anyone who’s really doing their job on this needs to have some experience and focus on the retirement industry.”

Allison Dirksen, a senior vice president and head of wealth solution sales at Voya Financial in St. Paul, Minnesota, says sponsors can consider adopting a standard vendor risk assessment process. A VRA can be used for third parties, especially those that exchange or store electronic information or documents containing participant information. The assessments are matched against a firm’s policies and standards to ensure vendors are held to the same standards as the plan.

The risk assessment of a prospective third-party vendor should be performed prior to the execution of a contract, says Dirksen. This step ensures that all data protection requirements are incorporated into the contract with the vendor and that key vendor control documents are reviewed during the assessment. As part of the due diligence and in addition to the VRA, obtaining proof of the vendor’s cybersecurity insurance and data protection polices is also a good practice, says Dirksen.

Working with Recognized Standards

The DOL’s guidance states that sponsors should: “Look for service providers that follow a recognized standard for information security and use an outside (third party) auditor to review and validate cybersecurity.”

The Service Organization Control is an example of an audited standard. Independent auditors, often larger accounting firms, perform SOC examinations on service organizations based on guidelines established by the American Institute of Certified Public Accountants

SOC reports have different levels: SOC 1 reports evaluate security controls at one point in time, while SOC 2 reports consider a longer period, perhaps six months. In a SOC 2 audit, a third party reviews an organization’s controls for protecting the confidentiality and integrity of its data processing systems. Large U.S. recordkeepers distribute their SOC reports. A web search found that Fidelity, Vanguard, T. Rowe Price and Voya, for example, offer their SOC reports to plan sponsors or post them online.

SOC reports introduce another complexity, though. Different vendors’ SOC 2 reports are not directly comparable, Conley explains. Although they cover a standardized set of information technology risks, companies’ organization of their reports’ material can differ.

“When you look at a SOC 2 report from one company and try and compare it to another company, it’s like comparing apples and oranges, even though they’re addressing the same controls,” says Conley. “It’s really hard to compare, let’s say, Fidelity’s SOC 2 to Transamerica’s SOC 2 to Principal’s SOC 2. You can do it, but it’s kind of hard.”

Consolidating with SPARK

As Conley notes, comparing and evaluating vendors’ individual SOC reports can be a time-consuming process. The Simsbury, Connecticut-based Society of Professional Asset Managers and Recordkeepers (SPARK Institute) addressed this problem with its 2017 publication of best cybersecurity practices for recordkeepers. Tim Rouse, the executive director of the SPARK Institute, says that before the creation of SPARK’s industry standards, plan sponsors would query vendors with numerous questions in requests for proposal. Each vendor’s sales team would then respond to the questions.

SPARK’s member firms agreed to use the published SPARK standards when reporting on 16 (now 17) identified critical data security control objectives.

“The implementation of industry standards required SPARK member firms to utilize independent third-party auditors to provide basic information on 17 control categories as a starting point for cybersecurity discussions,” Rouse explains. “So, rather than have sales teams answer client questions on cybersecurity, basic control information is provided by independent third-party auditors. While this process has been adopted by larger plan sponsors, smaller plan sponsors have not yet implemented the process in great numbers.”

The 17 SPARK control objectives offer examples of what plan sponsors should review on each point, from overall risk assessment to cloud security and ransomware. The document also offers samples of the kinds of controls service providers should have in place to address each objective.

Conley, a SPARK member, says that while SOC 2 reports cover security, availability, processing integrity, confidentiality and privacy, only certain controls apply to cybersecurity and the retirement industry. SPARK created a method for mapping SOC 2 controls to retirement-industry-specific issues, Conley explains: “The SPARK report allows someone to compare the reporting of different recordkeepers in a common format to make it a little more apples-to-apples comparable.”

Managing the RFP Process

The DOL suggests plan sponsors review their vendors’ cybersecurity credentials at least annually. There are several approaches to managing the vendor cybersecurity evaluation process. A standard method is for the plan or its consultants to approach vendors directly.

Another approach is to work with a specialist cybersecurity evaluation service, which in turn reviews the vendors’ controls and protections. Benetic has published a detailed guide for sponsors and advisers to use as an RFP template in evaluating cybersecurity evaluation firms. The guide is designed to help “plan sponsors and advisers find a firm with the expertise, access and understanding necessary to evaluate and compare complex multiple vendor evaluations, regardless of the type of employee benefit program.”

Benetic and the SPARK Institute are also collaborating on PlanShield, an effort to provide “neutral and transparent information on cybersecurity risk to plan sponsors” that launched in July. For participating recordkeepers, PlanShield uses the following five-step process:

1. Recordkeeper provides SOC 2 and SPARK reports to PlanShield, which uses the information to produce a summarized risk score that addresses the DOL guidance in a simplified format;
2. PlanShield conducts a confidential external security review of the recordkeeper’s websites;
3. PlanShield evaluates a firm’s penetration testing process;
4. Recordkeeper provides PlanShield details of any insurance policies that may cover plan participants for cyber breach losses. PlanShield scores the coverage; and
5. PlanShield generates a plan-specific risk rating for the recordkeeper.

Early response to PlanShield has been very positive, says Conley: “We are already overwhelmed with demand due to word-of-mouth referrals for the service and haven’t had time to market it or even add it to the website yet.”