PLANADVISER - January/February 2020 - 19

Hawes suggests defining what falls under the category
of " security breach. " As he explains, " Ultimately, this means
defining what would constitute a breach, such that the
recordkeeper needs to take action, and defining the specific
obligations of the recordkeeper following the breach. "
It is important to spell out the recordkeeper's guarantee
if a breach does occur, Brummel agrees. " In what situations
does the guarantee apply? And what requirements
does a participant have to meet to be reimbursed for a loss,
such as there being a statute of limitations? " He says some
recordkeepers stipulate that, to get reimbursed, a participant
has to have registered his account online prior to the
cybercrime. Another common stipulation: A participant has
to notify the recordkeeper within a " reasonable " amount of
time of a suspected cybercrime. One major recordkeeper
has a 90-day limit, he says.
The agreement also can specify what ongoing cybersecurity
reporting the provider will give a sponsor. Additionally,
Clark suggests that the sponsor and recordkeeper agree to
periodically revisit provisions, as the nature of cyber threats
shifts. Because technology and the sophistication of attacks
constantly evolve, what works in an agreement now might
not work two years from now, she observes.
Monitoring: Keep an Eye On It
Fiduciaries also should monitor a recordkeeper's data security
on an ongoing basis, Hawes says. " Fiduciaries typically
don't run their own tests on a recordkeeper's cybersecurity.
But it's important to understand what tests the recordkeeper
is running and to ask questions of the recordkeeper about it, "
he says. A service agreement may specify the security tests
and audits that a provider will undergo on a regular basis.
" Oversight can be as basic as making sure the cybersecurity
commitments the recordkeeper made in the contract have
been kept, " he says.
For plan advisers, monitoring is an issue of keeping up
with changing data-security standards and understanding
a recordkeeper's current cybersecurity processes, Sampson
says. " And I'd like to know, what are the results
each year of the recordkeeper's cybersecurity
self-testing? " He envisions such findings
covered as part of the standard yearend
annual client-review package
and covering points such as the
number of tests the recordkeeper
did internally during the year
and the potential issues it saw.
" Many of these companies
have spent an incredible
amount of money beefing
up their cybersecurity, " he
observes. " It's surprising to
me that more recordkeepers
haven't created reporting like
this, to use as a marketing and
sales tool. But now they're getting
to the point where they can say,
'We've had these protections in place for two years, or five
years. We've got the data that we can report on to sponsors.' "
He hopes to see data-security reporting presented in a way
that
is simple enough for sponsors without
technology
expertise to understand.
Some recordkeepers also have an audit done of their own
cybersecurity, and Kulick notes it is helpful, as an adviser,
to see reporting on that. " The providers should be relying on
a qualified third party to come in and identify weaknesses
in their system. And if weaknesses are identified, the report
should discuss how they were resolved, " he says.
While such audits are not yet an industry standard,
Brummel anticipates that increasingly recordkeepers will
have an audit done that complies with the American Institute
of Certified Public Accountants (AICPA) SOC 2®
reporting
standards. " No plan sponsor or adviser has the time and the
expertise to go fully through all aspects of a recordkeeper's
cybersecurity themselves, " he says. " SOC 2 will give you an
independent review of the provider's practices. " Getting that
reporting regularly could help a sponsor meet its fiduciary
responsibility to protect participants, he adds.
Some advisory firms such as CAPTRUST also now
proactively send recordkeepers a cybersecurity questionnaire,
to help the firm with monitoring. " We have recently
begun requesting reporting on a plan-by-plan basis, " Kulick
says. " And our provider due-diligence team regularly sends
recordkeepers questionnaires that aren't client-specific. "
The questionnaires ask things such as what cybersecurity
improvements and enhancements the recordkeeper has
made since the last questionnaire.
Strategic Retirement Partners has sent this type of questionnaire
to providers for the past two years and plans to do
it again this year. " It's a list of questions that helps us document
an overview of their cybersecurity and privacy policies, "
Brummel says. For example, it asks if the recordkeeper
has experienced any security breaches in the past year and,
if so, to explain what happened.
" Plan sponsors have an obligation to try to protect participants'
accounts, and clients rely on us as their
adviser to help them fulfill their responsibilities, "
he says.
For Brummel, the annual questionnaire
also helps keep him updated
on data-security issues. " Keep in
mind, the recordkeepers can't
tell us everything. If they tell
us all the details about their
data-security
system,
essentially
they've given us their
security 'code,' " he points out.
" But I don't know how anyone
could keep up with this issue
without getting this information.
I don't consider myself a
technology expert, but I need
to know enough to ask the right
questions. " -Judy Ward
planadviser.com January-February 2020 | 19
http://www.planadviser.com
PLANADVISER - January/February 2020

Table of Contents for the Digital Edition of PLANADVISER - January/February 2020
