Jump to content

Do recordkeepers differ in what they offer for cybersecurity?


Recommended Posts

Plenty of advisors are preaching to retirement plans’ fiduciaries (mostly, employers) that they ought to do something about cybersecurity.

Imagine an employer takes heed, and tries to follow EBSA’s Tips for Hiring a Service Provider with Strong Cybersecurity Practices.  https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/tips-for-hiring-a-service-provider-with-strong-security-practices.pdf

Step 6 is about what a fiduciary should seek to include in (or delete from) a service provider’s contract.  It includes a list of five or six provisions a fiduciary should seek.

But is this realistic?  Imagine a plan’s size limits its negotiation with a recordkeeper to engaging it (on its standard terms) or not.

For the points the EBSA guidance mentions, are there meaningful differences in what recordkeepers offer?  Or are recordkeepers’ provisions so much in a common mainstream that there’s nothing much an employer would compare?

Peter Gulia PC

Fiduciary Guidance Counsel

Philadelphia, Pennsylvania

215-732-1552

Peter@FiduciaryGuidanceCounsel.com

Link to comment
Share on other sites

Well, if you are asking what r/k's put in their service agreements, it's all over the board, I'm sure.  If you are asking about what they do to protect plan data, I'm also sure they all have robust cybersecurity protocols, but can't tell you what they are (because that in and of itself would be a cybersecurity breach).  There really ar eno "universally" agreed upon "standards" (yet), although the NIST standards appear to be the starting point of may I'm familiar with.  We have a "written information security program" document which we provide to clients, which, if you read it thoroughly demonstrates compliance (and much much more) with the DOL suggestions.  Because of the DOL's announcement, we are developing more of a marketing piece, that parallels the DOL's "suggestions" point by point.  Furthermore, we have cybersecurity committments in our services agreement, BUT DO NOT REPRESENT THAT WE "COMPLY" WITH THE DOL PROTOCOLS - because 1) they are suggestions, not "requirements;" 2) because they can change at any time; and 3) our IT security experts laughed at them as being woefully superficial, and beneath the dignity of any real IT security program.  We tell our clients that - and teach them that asking for a commitment to follow the DOL is probably a fiduciary breach - as it is a shortcut that might not be sufficient.  They need to know more, and understand more to not be a bad fiduciary.

Link to comment
Share on other sites

MoJo, thank you for your good and helpful information.

I am less confident that recordkeepers’ standard service agreements differ.  Many refer to taking “commercially reasonable” steps; but that does little more than invite an expensive argument about what that phrase meant.  A few refer to one or more of SPARK’s Industry Best Practices, but those are so wide and conceptual that almost anything could be argued to meet them.

I haven’t seen any standard service agreement state obligations in a way that would support independent testing of whether the recordkeeper met or breached its obligation.

Perhaps that’s because there is no set of generally recognized standards.  And revealing too much about methods weakens their security and control.

Although one might want fiduciaries to seek more than EBSA suggests, I suspect many fiduciaries (at least those with smaller plans) can’t meaningfully do even as little as EBSA suggests.

Do others have different or further observations?

Peter Gulia PC

Fiduciary Guidance Counsel

Philadelphia, Pennsylvania

215-732-1552

Peter@FiduciaryGuidanceCounsel.com

Link to comment
Share on other sites

1 hour ago, Peter Gulia said:

I haven’t seen any standard service agreement state obligations in a way that would support independent testing of whether the recordkeeper met or breached its obligation.

Perhaps that’s because there is no set of generally recognized standards.  And revealing too much about methods weakens their security and control.

What you have pointed out is in fact the problem with "complying" with the DOL suggestions.  And as well, there is no "standard" apart from NIST, etc., which in may parts are inapplicable with this particular issue/industry.  We've had many, many clients ask that we incorporate in compliance with "industry standards" and we refuse - because there aren't any, won't be any, and it's as bad as "commercially reasonable."  Our solution, by the way, was to simply indemnify the client and plan from any loss suffered as a result of cybersecurity incident, and compliance with applicable laws (mostly state laws) with respect to remedies for privacy issues.

Link to comment
Share on other sites

We have almost a dozen providers for our plans and I have been going through the exercise of checking on their Cybersecurity practices in a attempt to comply with the DOL suggestion in the form of a questionnaire.  There have been six providers that have responded so far and other than how they word their response there are not many variations between the providers responses.  Most of the responses are generic in order to not disclose cybersecurity details that it feels like a check the box and never look at the results type of project. 

When we go for our next RFP we will be updating it to address the DOL listing more completely in our service agreements.

..... And yes, I know that is way too many providers, but almost all are legacy vendors that have individual contracts we can not move without a large cost at this time!

Link to comment
Share on other sites

Tommy - FWIW, I don't think that 12 providers/vendors/platforms or whatever are necessarily too many. We are just a fee-for-service TPA, and many of our referrals come from CPA's and investment Advisors. They, and their clients, choose the investments and the platform. So we work with a lot of platforms/providers. Mind you, it would be NICE if they'd work with a limited number, but we have no control...

  • Like 2
Link to comment
Share on other sites

I don't think there is a simple answer to that, but in my world, the recordkeeper's PRIMARY function is tracking assets on daily valuation platforms. Many of them also perform other functions, particularly on larger plans, and different recordkeepers perform different functions.

 

Link to comment
Share on other sites

Our firm posed questions regarding cybersecurity compliance practices to many of our recordkeeper partners, and cohosted webinars with the recordkeepers to communicate each organization's approach. We compiled responses from twenty-five recordkeepers, and hosted twelve webinars.

Big picture, I'd suggest that while there are similarities in approach, there are some material differences between different providers, and generally, the larger the provider, the deeper the cybersecurity compliance approach. Here are some areas of difference that I noted:

  • Customer guarantee. Most offer reimbursement if security is breached, distinctions arise regarding conditions to qualify for reimbursement. Best simply require attestation that login credentials weren't shared and agreement to support efforts to prosecute if the thief is apprehended. Worst guarantees require documentation that all security recommendations were followed (e.g., regularly changing password, maintaining antivirus, updating systems, etc.). The worst guarantees are, IMO, unlikely to payout following a breach.
  • Number of employees dedicated to cybersecurity. Largest entities have almost 1,000 people in this role. And they take it seriously, running "red team" / "white team" exercises regularly.
  • Proactive vs. reactive. Some providers will actively search dark web and will notify participants if they find evidence that their credentials have been breached BEFORE there's an attempt at a hack. Kind of creepy, perhaps, but but could be necessary to avoid losses.
  • Use of advanced techniques. Two factor authentication is almost universal. Newer techniques like voice authentication are less common. Lockouts on certain transactions for some time period following "high risk" events (e.g. address changes) are increasingly common.
  • Different levels of ISO certification. Most feature ISO 27001 certification. https://www.iso.org/isoiec-27001-information-security.html. Some go all the way to ISO 27002.

We think of ourselves as primarily investment consultants to retirement plan sponsors. But increasingly, the scope of our consulting advice is expanding to administration, compliance, plan design, and now, to cybersecurity. Just part of the world, so we do our best to stay informed on topics that historically haven't come under our purview.

  • Like 1
Link to comment
Share on other sites

JonC, thank you for your excellent information.

If I may ask a little more:

Does the wideness or narrowness of a guarantee vary with how much the recordkeeper wants to get or keep the customer?  For example, does a mega or large plan get a wide guarantee, while a micro plan is offered only a narrower guarantee (or none)?

For a lockout after an address change or other risk-introducing event, how many days elapse or what fact or condition must change to end the lockout?

Peter Gulia PC

Fiduciary Guidance Counsel

Philadelphia, Pennsylvania

215-732-1552

Peter@FiduciaryGuidanceCounsel.com

Link to comment
Share on other sites

Hi Peter.

In our experience, the guarantee is set by the provider and doesn't vary for mega or small plans. It's either wide or narrow, and plan size/desire to retain the client doesn't play much of a role. Perhaps a truly mega plan could negotiate laxer guarantee standards, but I haven't seen that happen--and our largest plan clients are measured in the billions.

Details about lockout protocols are not publicized, to protect against "bad actors" gaming the protocols, but my experience is that the lockout typically lasts approximately ten business days, which allows the RK the opportunity to confirm the change (address change or other) with the participant. We recently had an experience with a client that was looking to complete a plan termination, and one of the few remaining (former) participants had moved, so had processed a change of address, which locked them out from a distribution. The participant was able to confirm her identity with the call center, have the lockout lifted, and receive her distribution. So there's flexibility in the lockout, the approach should perhaps be described as "enhanced security procedures" rather than truly as a lockout.

Hope that helps with your questions!

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...