SPARK to Establish Data Security Standards for Recordkeepers

The newly established Data Security Oversight Board will collaborate to establish uniform criteria for recordkeepers and certify those who meet the criteria.

The SPARK Institute has unveiled its plan to establish uniform data-management standards for the defined contribution (DC) retirement plan market through its newly created Data Security Oversight Board.

Mike Volo, senior partner at Cammack Retirement Group in Wellesley, Massachusetts, who will participate in the board, tells PLANSPONSOR, “I believe data security is a bigger challenge now. Heightened security threats are seen in the media every day, and technology is evolving so quickly and is sophisticated and complex. It is difficult for recordkeepers and advisers vetting recordkeepers to keep up with the newest threats.”

Tim Rouse, executive director of the SPARK Institute in Simsbury, Connecticut, adds, “There is a proliferation of modems for getting into data; even phones are a new source.”

SPARK’s Data Security Oversight Board will collaborate to establish uniform criteria for recordkeepers aimed at providing a baseline level of security across the retirement industry. Common Criteria Certification, as it is known, ensures that services purchased by organizations perform and are secure at the desired level of performance, the Institute says. It has emerged as a standard by which all industries can evaluate the security of IT and data systems.

Rouse says the concept for the board came about because recordkeeper members of SPARK have very intense cyber security protection, and the consultant community has a duty to make sure plan sponsors know the depth to which participant data is being protected. But, recordkeepers don’t want to constantly explain their data protection strategies because that itself becomes a data security weakness.

NEXT: Certifications will be a win for all

The board will bring together recordkeepers and consultants to establish standards, and recordkeepers will be certified if they are adhering to those standards. If recordkeepers are asked in requests for proposals (RFPs) about data protection, they can just respond that they have the certification, Rouse says. He notes that the Common Certification Criteria will not be published to keep cyber security criminals from knowing data security strategies, but the board will publish a list of recordkeepers that have the certification.

“We are experts in retirement plans and investments, not in data security,” says Volo. “I think with this Common Certification Criteria, as we do RFP searches, having the certification will be a requirement. It will streamline our RFP process.”

The first Data Security Board meeting will take place on June 21 in Washington D.C., to coincide with SPARK’s National Conference. Board participation will be open to all industry members and plan sponsor consultants. Rouse says he can’t predict when the board will finalize the standards.

But, he notes, “This is expected to be a living breathing certification. The board will update criteria and recertify recordkeepers annually to keep the industry fully up to date on cyber security threats.”

Volo concludes, “This will be a win, win, win, win. It will be a benefit for recordkeepers that meet the criteria, it will make advisers’ jobs easier, it will help plan sponsors better fulfill fiduciary responsibilities to participants and participants will know their data is secure.”