PLANADVISER - January/February 2020 - 18

cover story
The RFP: Dig Deeper
All major recordkeepers have gone to
great lengths to protect account holders,
Sampson says. " But some have gone
above and beyond, versus the others. "
The search process can help reveal the
distinctions. For example, he says one
recordkeeper has an " ethical hacking
team " within the company. " They spend
all day, every day, trying to hack into the
recordkeeper's system internally, to see
if there are any vulnerabilities, so they
can fix them, " he says.
To evaluate a recordkeeper's data
security first requires understanding the
fundamentals of how that provider's technology
works, Kulick says. For one thing,
is the system mainframe-based or cloudbased?
" Then, it's going a step further
and looking at, what types of controls
does the recordkeeper have in place?
What is it doing proactively to address the
threats coming in? And it's important to
understand what would happen if somebody's
account is breached: What would
the provider do in response? Also, are its
security programs adaptable as cybersecurity
threats change, or does it have an
inflexible framework? "
Attorney Brenna Clark says a section
A HAZY LEGAL PICTURE
IT IS UNCLEAR, from a legal and regulatory perspective, exactly how fiduciaries
are expected to protect participants' retirement plan data and assets.
" With health-care data, you have HIPAA [Health Insurance Portability and
Accountability Act], which has a lot of specific rules about the steps that
employers have to take, " says Brenna Clark of Eversheds Sutherland LLP. " There
is no equivalent law on the retirement plan side. So fiduciaries really just have to
follow the ERISA [Employee Retirement Income Security Act] standard of acting in
the best interests of participants. But it's not clear what that means, in this case,
and there hasn't been any formal regulatory guidance on it. "
The fiduciary standard " likely means taking some steps to make sure participants'
data and assets are secure, " Clark continues. Doing so comes into play
at several stages, including the recordkeeper search process, the service agreement
and ongoing monitoring, she says.
Fiduciaries who fail to implement sound data-security processes may be
vulnerable to future participant lawsuits over cybersecurity issues. " Under ERISA's
fiduciary obligations, plan fiduciaries should be sensitive to this issue and recognize
that it wouldn't be hard for a court to conclude that ERISA imposes obligations
on a fiduciary to protect participants and plans from cybersecurity threats, "
says Matthew Hawes of Morgan, Lewis & Bockius LLP.
SPARK [Society of Professional Asset Managers and Recordkeepers] Institute
Inc. has produced guidelines on data-security standards for recordkeepers,
Hawes says. " But there is no single regulatory authority that has established: 'This
is exactly what you need to do,' " he says. " That creates a challenge for plan
sponsors. The key is to engage with the recordkeeper early on cybersecurity
issues, and often. " -JW
on data security in a request for proposals (RFP) can start by
asking a few general questions. " You can say, 'Tell us about
your cybersecurity system. What steps have you taken to
stay ahead of threats?' " says Clark, a partner at Eversheds
Sutherland LLP in Atlanta. " We like to encourage the recordkeeper
to provide detailed explanations, especially if a plan
sponsor is not familiar with cybersecurity issues. "
Subsequent questions can get more specific, and Clark
lists some to consider asking: What specific steps will the
provider take if there is a breach? How will the provider notify
the sponsor if a breach happens? What financial liability is
the provider willing to take on if a breach occurs? How often
will the provider report on its cybersecurity efforts? What
cybersecurity insurance does the recordkeeper have? Does
the recordkeeper limit the number of its own personnel
with access to participants' personal data? What background
checks does the provider do on staff members who
will have access to participant data? And what training does
the provider do for its staff on data security?
Sampson sees the varying cybersecurity guarantees that
recordkeepers have adopted as an important differentiator.
" There are different levels of guarantees among the recordkeepers:
It all depends on the cybersecurity insurance the
recordkeeper has, " he says. " Some will replace the entire
amount taken from the participant's account, and some also
will replace any gain on the investment while the money is
out of the account. So ask them, 'Do you make the participant
whole? If there's a breach or a hack and the employee
has his or her money taken out, do you replace it in full?' "
If the plan fiduciary seeking a recordkeeper has its own
cybersecurity standards, it should reveal them in the RFP,
advises Matthew Hawes, a partner at law firm Morgan,
Lewis & Bockius LLP in Pittsburgh. " One of the key elements
is to make sure you engage very early in the process with
the potential recordkeeper, to get in front of them with
the plan fiduciary's preferred data-security provisions, " he
says. " Making those provisions part of the process can be
a key differentiator in making a decision on which recordkeeper
to choose. "
The Service Agreement: Spell It Out
The service agreement can help protect a plan and its
participants by clearly spelling out the recordkeeper's
cybersecurity obligations. " It really comes down to, what is
the provider willing to put down in writing, with respect to
its security measures? " Kulick says.
It helps to define cybersecurity parameters in the contract,
Hawes says. Clarify what data falls under the category of
" confidential and protected information, " for instance. " The
definitions can vary greatly among recordkeepers, " he says.
" There's a tension between what a plan fiduciary might want
to have considered to be confidential information and what a
provider might want. Often, plan fiduciaries will try to negotiate
for as broad of a definition as possible. "
18 | planadviser.com January-February 2020
http://www.planadviser.com
PLANADVISER - January/February 2020

Table of Contents for the Digital Edition of PLANADVISER - January/February 2020
