While they are fighting hard to attract new customers and retain existing ones, DC plan registrars have put aside their competitive nature when it comes to cybersecurity.
They share information, follow industry guidelines to develop best practices, collaborate to improve communication with sponsors and participants, and rarely use cybersecurity practices to differentiate their services from peers, the sources said.
Many registrars, especially the larger ones, have similar policies that will reimburse participants who lost money due to a cyber attack if, and only if, participants and sponsors practice proper cyber hygiene.
And many of the registrars’ policies and practices began long before the Department of Labor issued cybersecurity guidelines in April 2021 that cover online safety tips, cybersecurity best practices, and tips for patrons to Hire a record keeper.
“The topic of cybersecurity has been a concern of registrars for a long time,” said Michael Hadley, a Washington-based partner at the law firm of Davis & Harman LLP and a member of the advisory board of SPARK Institute Inc. ., which represents record keepers and other members of the defined contribution industry.
The cybersecurity upgrade “was not driven by requests from sponsors and consultants,” Hadley said. “This is critical to their mission.”
Large registrars who are part of companies that provide financial services have long felt the need for cybersecurity protection, he said. As such, the challenges and responses are so pervasive that registrars don’t have to use them as a marketing tool. “All of the registrars know that the sponsors are going to ask them,” she said.
The industry’s sensitivity to cybersecurity also means that the April 2021 DOL guidance requirements were familiar to the industry. “Most of the record keepers saw this as (something) we expected,” Hadley said.
Through the SPARK Institute, Simsbury, Conn., the industry got ahead of regulators and lawmakers with an industry best practices document on data security reporting published in 2017 and a cyber fraud and security breach report published in 2019 SPARK added a fraud control best practices report in July 2021.
“The first job is to protect the data,” said Tim Rouse, executive director of the SPARK Institute. Cooperation between members is important because cyber damage to the weakest member “is damage to the industry.”
A key component of the SPARK effort was creating a common language among registrars to describe various cyber events. “Standardized information for all registrars allows consultants to compare one registrar to another,” she said. The word “default”, for example, has been the subject of different interpretations within the industry.
The 2019 SPARK cybersecurity document now narrows the definition of a breach as a “confirmed compromise of an information system within the authority or responsibility of a registrar that results in: the unauthorized acquisition, disclosure, modification, or use unencrypted personal data, or encrypted personal data where the encryption key has also been compromised, and a likely risk of identity theft or fraud against the data subject.”
SPARK adds that there are some exceptions to their definition. “A bona fide, but unauthorized or unintentional acquisition, disclosure, modification, or use of personal data by an employee or contractor of the registrar or a party that has entered into a confidentiality agreement with the registrar is not constitutes a breach of security if the personal data is not subject to unauthorized acquisition, disclosure, loss, modification or use,” the document says.