Reading the words “cybersecurity breach” and “cyber fraud” on the news, email, or in general can alone cause panic. But what constitutes a security breach, and how a recordkeeper should inform a plan sponsor about cyber-related events continue to be unclear throughout the industry.
As plan sponsors are growing their emphasis on cybersecurity safety, “security breach” and “cybersecurity” are becoming key issues in recordkeeping contracts, says The SPARK Institute. To develop better understanding on the terms and its meanings, the company, through the work of its Data Security Oversight Board (DSOB), has developed common definitions for these terms, made publicly available.
“It’s important to keep in mind that these definitions serve as guidelines and do not supersede state and/or federal laws, legislation, or regulation”, says Dennis Lamm, a member of SPARK’s DSOB from Fidelity Investments, who headed up the task force responsible for developing these definitions. “Our objective was to create a reasonable approach consistent with best practices and industry standards that will serve to protect participants, simplify discussions and get to an agreement more quickly.”
According to SPARK, over 11 months, the DSOB Task Force worked with definitional examples from national cyber standards, international regulations, state privacy laws, and client contracts and gathered insights from the plan consultant representatives on the board.
“As Plan Fiduciaries evaluate their third-party vendors, cybersecurity measures and standards have become increasingly relevant,” says Rasch Cousineau, a senior consultant with the Hyas Group. “These definitions provide a level platform for vendor evaluation as it relates to cybersecurity breach and fraud.”
The set of definitions includes two examples, Security Breach and Cyber Fraud, according to the report. For illustrative purposes, examples of a Security Breach include: “A successful attack on a recordkeeper’s network or information system which results in authorized acquisition of participant records,”; “An intrusion into a recordkeeper’s external cloud account that results in the attacker acquiring unencrypted personal data stored within the environment;” and more.
Cases behind Cyber Fraud include participants disclosing account usernames and passwords via phishing email links; and compromised computers holding forms of keystroke logging malware.
SPARK makes it clear in their report that definitions are “not intended to supersede state and/or federal laws, legislation, or regulation, but are meant to establish a base of communication between recordkeepers and plan sponsors regarding Security Breaches and Cyber Fraud events.”