Cybersecurity 'patchwork' leaving industry vulnerable

The retirement industry has no unified cybersecurity approach to protect sensitive data and an amalgam of federal and state regulations don't offer any clear approach for security within the retirement space, industry sources said.

No federal regulation comprehensively governs cybersecurity for retirement plans or service providers, notes a Pension Research Council working paper published in December. The Employee Retirement Income Security Act of 1974 "is silent on data protection in the form of electronic records, and the U.S. courts have not yet decided whether managing cybersecurity risk is a fiduciary function," the paper states. And while some retirement service providers are covered by federal rules based on their industry, they often cross several different industries, complicating which rules it must follow.

David Levine, principal at the Groom Law Group said the current cybersecurity regulatory landscape for retirement plans is incomplete: "It's kind of woven together as a patchwork, and the patchwork has holes in it at times." Mr. Levine co-wrote the paper along with Groom colleague Allison Itami; Timothy Rouse, executive director at the SPARK Institute; and Ben Taylor, senior vice president at Callan LLC.

In a 2016 report to the Department of Labor, the ERISA Advisory Council included guidance for plan sponsors on how to evaluate cyberrisks for their benefit plans. But major questions still persist, Mr. Levine said, such as: Is cybersecurity an ERISA fiduciary responsi- bility? And if so, does ERISA pre-empt state cybersecurity laws?

The SPARK Institute, which formed the Data Security Oversight Board composed of industry stakeholders, published a set of cybersecurity best practice standards in 2017 that has been gaining traction among plan sponsors, consultants and record keepers, said Mr. Rouse, of the SPARK Institute. The institute represents retirement industry players such as record keepers, investment advisers, mutual fund companies and benefit consulting firms. The standards are intended to help establish a uniform communications tool to assist plan sponsors and service providers in properly assessing and comparing retirement plan vendors, he said. Plan sponsors, through their consultants, are using the standards to evaluate record keepers' data protection capacities without the latter having to disclose their methods.

One of the main concerns service providers have when answering cybersecurity-related questions is disclosing too much information, even with their plan sponsor clients, Mr. Rouse explained. "If I'm sharing with you the procedures, processes and tools that I'm using to protect your data then that information will eventually get out there and into the hands of the folks that shouldn't have it, and then it builds a road map for those who want to break into your system," he said.

The SPARK Institute's member firms don't want to share this information, not because they don't believe the questions are warranted but because by sharing it, the processes and procedures "won't be a secret anymore," Mr. Rouse added.

Using stakeholders' commonly asked questions as a guide, the Data Security Oversight Board identified 16 critical data security control objectives for providers to use when reporting their overall data security capabilities. The standards include encrypting data, maintaining procedures to ensure timely responses to detected cybersecurity events, and limiting access to assets to authorized users, processes or devices.

In order to keep record keepers' products and processes a secret, the SPARK standards utilize an independent third-party audit of cybersecurity controls.

"With this tool, vendors can properly validate the robust nature of their cybersecurity systems and provide assurances to clients and prospects that their systems are protected against hackers," the Pension Research Council paper that Mr. Rouse co-wrote states.

"It was important for us not to dictate what methods they have to use, but only that whatever they did was able to be communicated in a way that could be relied upon to make evaluations properly," Mr. Rouse said.

Mr. Taylor, Callan's San Francisco-based senior vice president and vice chairman of the Data Security Oversight Board, said the idea of using a third party to audit a provider's cybersecurity practices is likely the way of the future.

"I don't understand how we're going to be comfortable with self-reporting on that going forward," he said. "I don't think that every organization that exists under the sun has the expertise to individually assess how good people are at cyberdefense," and determining if a provider has adequate cyberdefenses can be burdensome because "just about everyone is doing it differently."

Moreover, from a provider's standpoint, "you can understand how they prefer to work with one expert outside auditor as opposed to doing the same thing slightly differently hundreds and hundreds of times a year, each time touching sensitive data," Mr. Taylor said.

Whether it's the Department of Labor, another regulator, or a legislative effort that acts on this issue, Mr. Taylor said providers should be given "adequate latitude to be adaptable and to do what they think is best in terms of cyberdefenses because if they're constantly evolving that landscape, an overregulation of how they defend themselves could be very problematic." Those cyberdefense decisions can then be compared by plan sponsors when deciding which provider to hire, Mr. Rouse explained.

Also, Mr. Levine said, it's important to get clarity on certain questions, like what constitutes a breach and how should affected parties be notified after one occurs?

It's unlikely that one regulator, such as the DOL, would be able to put forth a set of regulations that answers all the necessary questions because there are simply too many players involved with differing aims and responsibilities, Mr. Levine said. "It would be great to have one standard, but it's challenging to actually get to that one standard because each situation is a little bit different," he noted.

For Keith Overly, executive director of the $13.4 billion Ohio Public Employees Deferred Compensation Program, Columbus, the patchwork of differing state regulations can be especially tough to navigate because his system does its own record keeping. Moreover, the plan he oversees has participants in "most, if not all" states.

It is not clear that personal privacy and cybersecurity statutes would be pre-empted by ERISA, according to Mr. Levine, since it was established long before cyberthreats existed. The paper he co-authored said the "lack of comprehensive financial privacy protections in ERISA could lead courts to determine that no ERISA pre-emption occurs with respect to state protections."

Mr. Levine added that "there's a lot be resolved" with respect to ERISA and cybersecurity.

Added Mr. Overly: "If we did have one standard nationwide instead of maybe 50 different standards in 50 different states, that would certainly be welcome for not just us, but other record keepers who work in multiple states and who have participant data for participants who reside in various states. Of course, the devil's in the details."