With more than $9.3 trillion held in retirement accounts, it is no surprise that these accounts present a potential target for cyber-security attacks. In recognition of this threat, the SPARK Institute has taken steps to establish cyber-security best practices and a process to assist plan sponsors and consultants in evaluating retirement industry service providers’ capabilities.
The Data Security Oversight Board (DSOB) was formed in September of 2017. This board is a permanent, ongoing authority with the responsibility to regularly review best practice standards and when necessary issue updates. The DSOB currently has 37 members made up of both retirement industry service providers and consulting firms. While competitors in most respects, this is one of the few examples of the retirement industry working together to build a stronger defense against a common threat. Cooperation and sharing of information are essential to providing higher levels of protection for all plan sponsors and for participant data. Although written for service providers’ technical teams, the SPARK Institute’s Industry Best Practice Data Security Reporting document may be worth reviewing as well.
The DSOB’s best practices are comprised of 16 control objectives and the requirement for an independent third-party auditor to review compliance with the 16 objectives and if necessary, provide a mapping to other certifications that service providers may already have in place. In this way existing certifications will be complementary to the DSOB control objectives.
Most recently, the Financial Services Information Sharing and Analysis Center (FS-ISAC) announced a partnership with the SPARK Institute to create the Retirement Industry Council (RIC) to help promote voluntary information sharing and threat intelligence to members within the retirement industry that administer defined contribution plans and other retirement plans. Members of the RIC from the DSOB and FS-ISAC will share information about solving security challenges and focus on the combination of physical and cybersecurity threats faced by the retirement industry. Through collaboration, it will also provide best practices on security controls and priorities for service providers.
It is important to note as SPARK states, these standards and practices are not intended to provide a recommended level of cyber protection or guarantee against a data breach or loss, but plan sponsors can take some comfort in the fact that the retirement industry as a whole is collaborating to safeguard participant accounts.
 The SPARK Institute is a member-driven, non-profit organization that is the leading voice in Washington for the retirement plan industry. They help shape national retirement policy by developing and advancing positions on critical issues that affect plan sponsors, participants, advisers, service providers, and investment providers. Members include recordkeepers, advisers, mutual fund companies, brokerage firms, insurance companies, banks, consultants, trade clearing firms and investment managers. Collectively, their members serve approximately 85 million participants in 401(k) and other defined contribution plans.
 FS-ISAC, or the Financial Services Information Sharing and Analysis Center, is the global financial industry’s go to resource for cyber and physical threat intelligence analysis and sharing. FS-ISAC is unique in that it was created by and for members and operates as a member-owned nonprofit entity. Launched in 1999, FS-ISAC was established by the financial services sector in response to 1998’s Presidential Directive 63. That directive – later updated by 2003’s Homeland Security Presidential Directive 7 – mandated that the public and private sectors share information about physical and cybersecurity threats and vulnerabilities to help protect the U.S. critical infrastructure.