Although they fight vigorously to attract new clients and retain existing ones, defined contribution plan record keepers have put aside their competitive nature when it comes to cybersecurity.
They share information, follow industry guidelines to develop best practices, collaborate to improve communication to sponsors and participants, and rarely use cybersecurity practices to differentiate their services from their peers, sources said.
Many record keepers, most notably the largest ones, have similar policies that will reimburse participants who lost money due to a cyberattack if — and only if — the participants and sponsors practice appropriate cyber hygiene.
And many of the record- keeper policies and practices started long before the Department of Labor issued cybersecurity guidelines in April 2021 covering online security tips, cybersecurity best practices and tips to sponsors for hiring a record keeper.
"The issue of cybersecurity is one that record keepers have been worried about for a long time," said Michael Hadley, a Washington-based partner in the law firm of Davis & Harman LLP and an advisory board member of the SPARK Institute Inc., which represents record keepers and other members of the defined contribution industry.
Upgrading cybersecurity "was not driven by requests from sponsors and consultants," Mr. Hadley said. "This is critical to their mission."
Large record keepers that are part of companies that provide financial services were long ago attuned to the need for cybersecurity protection, he said. As such, the challenges and responses are so ubiquitous that record keepers don't have to use them as a marketing tool. "All record keepers know they are going to be asked" by sponsors, he said.
The industry's sensitivity to cybersecurity also means that the requirements in the April 2021 DOL guidance was familiar to the industry. "Most of the record keepers saw this as (something) we had expected," Mr. Hadley said.
Through the SPARK Institute, Simsbury, Conn., the industry acted ahead of regulators and legislators with an industry best practices document on data security reporting published in 2017 and a security breach and cyberfraud report published in 2019. SPARK added a fraud control best practices report in July 2021.
"Job one is to protect the data," said Tim Rouse, executive director of the SPARK Institute. Cooperation among members is important because cyber damage to the weakest member "is damage to the industry."
One key component of SPARK's effort was to create a common language among record keepers in describing various cyber events. "The standardized information for all record keepers enables consultants to compare one record keeper vs. another," he said. The word "breach," for example, had been subject to different interpretations within the industry.
Now, the 2019 SPARK cybersecurity document narrows the definition of a breach as a "confirmed compromise of an information system within the authority or responsibility of a record keeper that results in: the unauthorized acquisition, disclosure, modification or use of unencrypted personal data, or encrypted personal data where the encryption key has also been compromised; and a likely risk of identity theft or fraud against the data subject."
SPARK adds that there are some exceptions to its definition. "A good faith but unauthorized or unintentional acquisition, disclosure, modification or use of personal data by an employee or contractor of the record keeper or a party who has signed a confidentiality agreement with the record keeper does not constitute a security breach if the personal data is not subject to further unauthorized acquisition, disclosure, loss, modification or use," the document says.