The retirement industry has no unified cybersecurity approach to protect sensitive data and an amalgam of federal and state regulations don't offer any clear approach for security within the retirement space, industry sources said.
No federal regulation comprehensively governs cybersecurity for retirement plans or service providers, notes a Pension Research Council working paper published in December. The Employee Retirement Income Security Act of 1974 "is silent on data protection in the form of electronic records, and the U.S. courts have not yet decided whether managing cybersecurity risk is a fiduciary function," the paper states. And while some retirement service providers are covered by federal rules based on their industry, they often cross several different industries, complicating which rules it must follow.
David Levine, principal at the Groom Law Group said the current cybersecurity regulatory landscape for retirement plans is incomplete: "It's kind of woven together as a patchwork, and the patchwork has holes in it at times." Mr. Levine co-wrote the paper along with Groom colleague Allison Itami; Timothy Rouse, executive director at the SPARK Institute; and Ben Taylor, senior vice president at Callan LLC.
In a 2016 report to the Department of Labor, the ERISA Advisory Council included guidance for plan sponsors on how to evaluate cyberrisks for their benefit plans. But major questions still persist, Mr. Levine said, such as: Is cybersecurity an ERISA fiduciary responsi- bility? And if so, does ERISA pre-empt state cybersecurity laws?
The SPARK Institute, which formed the Data Security Oversight Board composed of industry stakeholders, published a set of cybersecurity best practice standards in 2017 that has been gaining traction among plan sponsors, consultants and record keepers, said Mr. Rouse, of the SPARK Institute. The institute represents retirement industry players such as record keepers, investment advisers, mutual fund companies and benefit consulting firms. The standards are intended to help establish a uniform communications tool to assist plan sponsors and service providers in properly assessing and comparing retirement plan vendors, he said. Plan sponsors, through their consultants, are using the standards to evaluate record keepers' data protection capacities without the latter having to disclose their methods.