Retirement Plan Cyber Security Terms Concern Fiduciaries
Retirement plan cyber security terms interest retirement plan fiduciaries and plan sponsors. It’s no wonder. Plan sponsors are now paying more attention to retirement plan cybersecurity terms since many plans have been the victim of such attacks. Retirement plan cybersecurity threats are on the rise, and they continue to pose new risks for plan fiduciaries as well as participants. A single successful cyber-attack can cost an organization more than $5 million, or $301 per employee, according to the Ponemon Institute. Gartner Inc. predicts that vendors will spend $124 billion on information security worldwide during the calendar year 2019. And information security research firm and publisher Cybersecurity Ventures predicts that, by 2021, cyber crime will cost the world $6 trillion annually.
In addition, exactly how retirement plan services providers, such as recordkeepers, should communicate to a plan sponsor about a retirement plan cybersecurity breach is still unclear. No concrete rules or regulations have been established around cybersecurity protocols for the industry. But forward progress continues to be made in that direction. For example, The SPARK Institute, a research think tank that helps shape national retirement policy by providing education, testimony and comments on pending legislative and regulatory issues to legislators, has recently developed common definitions for retirement plan cyber security terms.
Plan fiduciaries should be mindful that lists and definitions serve mostly to provide clarity — to help get the retirement industry on the same page about the meanings of key terms related to cyber security. Retirement plan cybersecurity definitions are not designed to supersede any existing laws, legislation or regulations.
InvestmentNews recently published an article spotlighting the tensions between plan sponsors and plan service providers as a result of the rise in retirement plan cybersecurity concerns. Two issues fueling those tensions are the proliferation of retirement plan cyber security questions and the intimacy of those questions. Plan sponsors aren’t only asking recordkeepers more questions about cyber security, they are now probing much deeper. However, asking vendors how they defend against cyber attacks could expose that information to potential hackers, making the vendors’ systems vulnerable to attacks. As a result, some vendors are refusing to respond to such questions.
Today, disclosure is a key issue. Plan sponsors cannot seem to get the information they need to make informed vendor hiring decisions because vendors refuse to provide it for the very security issues they are trying to protect against. As a result, it creates a fundamental disconnect between vendors and plan sponsors when it comes to issues of full disclosure and retirement plan cyber security protection protocols. Hopefully, having clear definitions, as developed by SPARK’s DSOB, can help clear up some of the confusion and open the lines of communication between vendors and plan fiduciaries. it’s a start.