Skip to main content
MENU
Subscribe
  • Subscribe
  • Account
  • LOGIN
  • Topics
    • Alternatives
    • Consultants
    • Coronavirus
    • Courts
    • Defined Contribution
    • ESG
    • ETFs
    • Hedge Funds
    • Industry Voices
    • Investing
    • Money Management
    • Opinion
    • Partner Content
    • Pension Funds
    • Private Equity
    • Real Estate
    • Russia-Ukraine War
    • SECURE Act 2.0
    • Special Reports
    • White Papers
  • Rankings & Awards
    • 1,000 Largest Retirement Plans
    • Top-Performing Managers
    • Largest Money Managers
    • DC Money Managers
    • DC Record Keepers
    • Largest Hedge Fund Managers
    • World's Largest Retirement Funds
    • Best Places to Work in Money Management
    • Excellence & Innovation Awards
    • WPS Innovation Awards
    • Eddy Awards
  • ETFs
    • Latest ETF News
    • Fund Screener
    • Education Center
    • Equities
    • Fixed Income
    • Commodities
    • Actively Managed
    • Alternatives
    • ESG Rated
  • ESG
    • Latest ESG News
    • The Institutional Investor’s Guide to ESG Investing
    • ESG Sustainability - Gaining Momentum
    • Climate Change: The Inescapable Opportunity
    • Impact Investing
    • 2022 ESG Investing Conference
    • ESG Rated ETFs
  • Defined Contribution
    • Latest DC News
    • DC Money Manager Rankings
    • DC Record Keeper Rankings
    • Innovations in DC
    • Trends in DC: Focus on Retirement Income
    • 2022 Defined Contribution East Conference
    • 2022 DC Investment Lineup Conference
  • Searches & Hires
    • Latest Searches & Hires News
    • Searches & Hires Database
    • RFPs
  • Performance Data
    • P&I Research Center
    • Earnings Tracker
    • Endowment Returns Tracker
    • Corporate Pension Contribution Tracker
    • Pension Fund Returns Tracker
    • Pension Risk Transfer Database
    • Future of Investments Research Series
    • Charts & Infographics
    • Polls
  • Careers
  • Events
    • View All Conferences
    • View All Webinars
    • 2022 Retirement Income Conference
    • 2022 Managing Pension Risk & Liabilities
    • 2022 WorldPensionSummit
Breadcrumb
  1. Home
  2. REGULATION AND LEGISLATION
February 04, 2019 12:00 AM

Cybersecurity 'patchwork' leaving industry vulnerable

Brian Croce
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    David Levine called current cybersecurity regulations 'a patchwork' and said despite some guidance, many questions remain.

    The retirement industry has no unified cybersecurity approach to protect sensitive data and an amalgam of federal and state regulations don't offer any clear approach for security within the retirement space, industry sources said.

    No federal regulation comprehensively governs cybersecurity for retirement plans or service providers, notes a Pension Research Council working paper published in December. The Employee Retirement Income Security Act of 1974 "is silent on data protection in the form of electronic records, and the U.S. courts have not yet decided whether managing cybersecurity risk is a fiduciary function," the paper states. And while some retirement service providers are covered by federal rules based on their industry, they often cross several different industries, complicating which rules it must follow.

    David Levine, principal at the Groom Law Group said the current cybersecurity regulatory landscape for retirement plans is incomplete: "It's kind of woven together as a patchwork, and the patchwork has holes in it at times." Mr. Levine co-wrote the paper along with Groom colleague Allison Itami; Timothy Rouse, executive director at the SPARK Institute; and Ben Taylor, senior vice president at Callan LLC.

    In a 2016 report to the Department of Labor, the ERISA Advisory Council included guidance for plan sponsors on how to evaluate cyberrisks for their benefit plans. But major questions still persist, Mr. Levine said, such as: Is cybersecurity an ERISA fiduciary responsi- bility? And if so, does ERISA pre-empt state cybersecurity laws?

    The SPARK Institute, which formed the Data Security Oversight Board composed of industry stakeholders, published a set of cybersecurity best practice standards in 2017 that has been gaining traction among plan sponsors, consultants and record keepers, said Mr. Rouse, of the SPARK Institute. The institute represents retirement industry players such as record keepers, investment advisers, mutual fund companies and benefit consulting firms. The standards are intended to help establish a uniform communications tool to assist plan sponsors and service providers in properly assessing and comparing retirement plan vendors, he said. Plan sponsors, through their consultants, are using the standards to evaluate record keepers' data protection capacities without the latter having to disclose their methods.

    Disclosing too much

    One of the main concerns service providers have when answering cybersecurity-related questions is disclosing too much information, even with their plan sponsor clients, Mr. Rouse explained. "If I'm sharing with you the procedures, processes and tools that I'm using to protect your data then that information will eventually get out there and into the hands of the folks that shouldn't have it, and then it builds a road map for those who want to break into your system," he said.

    The SPARK Institute's member firms don't want to share this information, not because they don't believe the questions are warranted but because by sharing it, the processes and procedures "won't be a secret anymore," Mr. Rouse added.

    Using stakeholders' commonly asked questions as a guide, the Data Security Oversight Board identified 16 critical data security control objectives for providers to use when reporting their overall data security capabilities. The standards include encrypting data, maintaining procedures to ensure timely responses to detected cybersecurity events, and limiting access to assets to authorized users, processes or devices.

    In order to keep record keepers' products and processes a secret, the SPARK standards utilize an independent third-party audit of cybersecurity controls.

    "With this tool, vendors can properly validate the robust nature of their cybersecurity systems and provide assurances to clients and prospects that their systems are protected against hackers," the Pension Research Council paper that Mr. Rouse co-wrote states.

    "It was important for us not to dictate what methods they have to use, but only that whatever they did was able to be communicated in a way that could be relied upon to make evaluations properly," Mr. Rouse said.

    Outside audit

    Mr. Taylor, Callan's San Francisco-based senior vice president and vice chairman of the Data Security Oversight Board, said the idea of using a third party to audit a provider's cybersecurity practices is likely the way of the future.

    "I don't understand how we're going to be comfortable with self-reporting on that going forward," he said. "I don't think that every organization that exists under the sun has the expertise to individually assess how good people are at cyberdefense," and determining if a provider has adequate cyberdefenses can be burdensome because "just about everyone is doing it differently."

    Moreover, from a provider's standpoint, "you can understand how they prefer to work with one expert outside auditor as opposed to doing the same thing slightly differently hundreds and hundreds of times a year, each time touching sensitive data," Mr. Taylor said.

    Whether it's the Department of Labor, another regulator, or a legislative effort that acts on this issue, Mr. Taylor said providers should be given "adequate latitude to be adaptable and to do what they think is best in terms of cyberdefenses because if they're constantly evolving that landscape, an overregulation of how they defend themselves could be very problematic." Those cyberdefense decisions can then be compared by plan sponsors when deciding which provider to hire, Mr. Rouse explained.

    Also, Mr. Levine said, it's important to get clarity on certain questions, like what constitutes a breach and how should affected parties be notified after one occurs?

    Unanswered questions

    It's unlikely that one regulator, such as the DOL, would be able to put forth a set of regulations that answers all the necessary questions because there are simply too many players involved with differing aims and responsibilities, Mr. Levine said. "It would be great to have one standard, but it's challenging to actually get to that one standard because each situation is a little bit different," he noted.

    For Keith Overly, executive director of the $13.4 billion Ohio Public Employees Deferred Compensation Program, Columbus, the patchwork of differing state regulations can be especially tough to navigate because his system does its own record keeping. Moreover, the plan he oversees has participants in "most, if not all" states.

    It is not clear that personal privacy and cybersecurity statutes would be pre-empted by ERISA, according to Mr. Levine, since it was established long before cyberthreats existed. The paper he co-authored said the "lack of comprehensive financial privacy protections in ERISA could lead courts to determine that no ERISA pre-emption occurs with respect to state protections."

    Mr. Levine added that "there's a lot be resolved" with respect to ERISA and cybersecurity.

    Added Mr. Overly: "If we did have one standard nationwide instead of maybe 50 different standards in 50 different states, that would certainly be welcome for not just us, but other record keepers who work in multiple states and who have participant data for participants who reside in various states. Of course, the devil's in the details."

    Related Articles
    SEC commissioner proposes expanding cybersecurity rule
    Financial markets increasingly susceptible to cyberattacks – report
    Investors, SEC want details on cybersecurity protections
    Recommended for You
    Standards-of-conduct rules approved along party lines
    Standards-of-conduct rules approved along party lines
    Investors hail SEC guidelines on exchanges
    Investors hail SEC guidelines on exchanges
    U.K. regulator watching manager over Woodford fund freeze
    U.K. regulator watching manager over Woodford fund freeze
    SPDR® ETF’s New Approach to Bond Liquidity
    Sponsored Content: SPDR® ETF’s New Approach to Bond Liquidity

    Reader Poll

    June 6, 2022
    SEE MORE POLLS >
    Sponsored
    White Papers
    Nearing the finish line: Ideas on end-state investing for corporate DB plans
    The Meaning of "Portfolio Intelligence"
    Credit Indices: Closing the Fixed Income Evolutionary Gap
    Forever in Style: Benchmarking with the Morningstar® Broad Style Indexes℠
    Crossroads: Politics, Inflation, & Bonds
    Is there a mid-cap gap in your DC plan?
    View More
    Sponsored Content
    Partner Content
    The Industrialization of ESG Investment
    For institutional investors, ETFs can make meeting liquidity needs easier
    Gold: the most effective commodity investment
    2021 Investment Outlook | Investing Beyond the Pandemic: A Reset for Portfolios
    Ten ways retirement plan professionals add value to plan sponsors
    Gold: an efficient hedge
    View More
    E-MAIL NEWSLETTERS

    Sign up and get the best of News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.

    Subscribe Today
    June 20, 2022 page one

    Get access to the news, research and analysis of events affecting the retirement and institutional money management businesses from a worldwide network of reporters and editors.

    Subscribe
    Connect With Us
    • RSS
    • Twitter
    • Facebook
    • LinkedIn

    Our Mission

    To consistently deliver news, research and analysis to the executives who manage the flow of funds in the institutional investment market.

    About Us

    Main Office
    685 Third Avenue
    Tenth Floor
    New York, NY 10017-4036

    Chicago Office
    130 E. Randolph St.
    Suite 3200
    Chicago, IL 60601

    Contact Us

    Careers at Crain

    About Pensions & Investments

     

    Advertising
    • Media Kit
    • P&I Content Solutions
    • P&I Careers | Post a Job
    • Reprints & Permissions
    Resources
    • Subscribe
    • Newsletters
    • FAQ
    • P&I Research Center
    • Site map
    • Staff Directory
    Legal
    • Privacy Policy
    • Terms and Conditions
    • Privacy Request
    Pensions & Investments
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • Topics
      • Alternatives
      • Consultants
      • Coronavirus
      • Courts
      • Defined Contribution
      • ESG
      • ETFs
      • Hedge Funds
      • Industry Voices
      • Investing
      • Money Management
      • Opinion
      • Partner Content
      • Pension Funds
      • Private Equity
      • Real Estate
      • Russia-Ukraine War
      • SECURE Act 2.0
      • Special Reports
      • White Papers
    • Rankings & Awards
      • 1,000 Largest Retirement Plans
      • Top-Performing Managers
      • Largest Money Managers
      • DC Money Managers
      • DC Record Keepers
      • Largest Hedge Fund Managers
      • World's Largest Retirement Funds
      • Best Places to Work in Money Management
      • Excellence & Innovation Awards
      • WPS Innovation Awards
      • Eddy Awards
    • ETFs
      • Latest ETF News
      • Fund Screener
      • Education Center
      • Equities
      • Fixed Income
      • Commodities
      • Actively Managed
      • Alternatives
      • ESG Rated
    • ESG
      • Latest ESG News
      • The Institutional Investor’s Guide to ESG Investing
      • ESG Sustainability - Gaining Momentum
      • Climate Change: The Inescapable Opportunity
      • Impact Investing
      • 2022 ESG Investing Conference
      • ESG Rated ETFs
    • Defined Contribution
      • Latest DC News
      • DC Money Manager Rankings
      • DC Record Keeper Rankings
      • Innovations in DC
      • Trends in DC: Focus on Retirement Income
      • 2022 Defined Contribution East Conference
      • 2022 DC Investment Lineup Conference
    • Searches & Hires
      • Latest Searches & Hires News
      • Searches & Hires Database
      • RFPs
    • Performance Data
      • P&I Research Center
      • Earnings Tracker
      • Endowment Returns Tracker
      • Corporate Pension Contribution Tracker
      • Pension Fund Returns Tracker
      • Pension Risk Transfer Database
      • Future of Investments Research Series
      • Charts & Infographics
      • Polls
    • Careers
    • Events
      • View All Conferences
      • View All Webinars
      • 2022 Retirement Income Conference
      • 2022 Managing Pension Risk & Liabilities
      • 2022 WorldPensionSummit