Get to know the SPARK Institute's cybersecurity best practices
Cybercriminals continue to target retirement assets, and for good reason—there’s $32.3 trillion to go after.¹ And although retirement plan providers normally compete against one another, we all recognize we need to work together on cybersecurity. This collective mindset contributed to the SPARK Institute’s “Plan Sponsor and Advisor Guide to Cybersecurity”—a framework for recordkeepers to document and communicate their cybersecurity capabilities and processes. We’ve outlined the key areas outlined by SPARK, so you can follow up with your service providers to help secure your retirement plans.
What’s the SPARK Institute?
SPARK—the Society of Professional Asset Managers and Recordkeepers—is a nonprofit organization that advocates and lobbies for the retirement plan industry. SPARK comprises leaders and executives from different business areas (e.g., IT, finance, product, etc.) across the retirement industry, including recordkeepers, asset managers, and consultants.
Their goals are to improve retirement policies and legislation and advance critical issues affecting retirement plan participants, plan sponsors, and providers. To execute their goals, they created several committees, including the data security oversight board (DSOB), which develops best practices for protecting your data and defending against cyberattacks and fraud.
Guiding plan sponsors and advisors on cybersecurity
The DSOB’s latest publication is the “Plan Sponsor and Advisor Guide to Cybersecurity,” which provides a structured baseline for managing and communicating cybersecurity protocols. By using this framework, retirement plan recordkeepers can show the public—clients, partners, and prospects—an audited summary of 17 key control objectives. These objectives also align with the U.S. Department of Labor’s (DOL) guidance on cybersecurity, creating a consistent focus across the industry.
SPARK recommends retirement plan service providers have their cybersecurity practices audited by a third party and summarized according to these 17 categories. They also provide sample controls in their guide.
1 Risk assessment and treatment—Show you know how cybersecurity threatens your business operations, assets, and people.
2 Security policy—Create and maintain a policy for information security.
3 Organizational security—Establish roles responsible for managing information, data, and system security.
4 Asset management—Identify all systems, devices, and similar needed to run your business and show they’re managed appropriately.
5 Human resource security—Hire suitable candidates (following background checks) and provide education and training for the human resources team, given their access to sensitive and personally identifiable information.
6 Physical and environmental security—Prevent unauthorized access to hardware and assets necessary to run the company’s operations.
7 Communications and operations management—Implement the appropriate system security tools, such as firewalls and antivirus software.
8 Access control—Limit employee access to role-specific files, software, etc.
9 Information systems acquisition development—Conduct routine vulnerability testing on all internal and external systems.
10 Incident and event communications management—Define and test processes for the timely handling of reported cyber incidents.
11 Business resiliency—Implement disaster recovery protocols to ensure business continuity.
12 Compliance—Establish policies to adhere to cybersecurity-related legal requirements.
13 Mobile—Create a policy around mobile device security.
14 Encryption—Guard access to stored and in-transit data.
15 Supplier risk—Protect company assets and systems from suppliers.
16 Cloud security—Safeguard data and other assets stored in cloud environments.
17 Ransomware—Implement processes for detecting and responding to ransomware attacks.
This guide is intended to provide a foundation for providers to build on. It’s not all-encompassing, nor does it guarantee complete security if followed. As new attacks surface and industry leaders, such as SPARK, learn from experience, cybersecurity best practices will surely evolve.
Cybersecurity—it takes a village
SPARK’s guide is expected to help retirement plan service providers get more organized and put controls in place, but the responsibility doesn’t lie with service providers alone. It also falls to plan sponsors and retirement plan participants, who regularly communicate with providers and share sensitive information to complete requests, such as account distributions. Taking an extra step to authenticate an account number (e.g., confirm over the phone that an email was genuine and not a phishing attempt) may be a nuisance, but pales in comparison to a hacker taking your money.
SPARK: helping to combat cybersecurity
The SPARK Institute is one of the retirement industry’s greatest advocates, continually pushing for equitable policy and regulation for U.S. retirement savers. They set out to upgrade their cybersecurity best practices in 2022 and align them with the DOL’s guidelines, and they delivered the “Plan Sponsor and Advisor Guide to Cybersecurity” as a result. Now it’s up to us all to do our part in protecting Americans’ retirement assets from bad actors.
1 “Retirement Assets Total $32.3 Trillion in Third Quarter 2022,” Investment Company Institute, 12/15/22.
The content of this document is for general information only and is believed to be accurate and reliable as of the posting date, but may be subject to change. It is not intended to provide investment, tax, plan design, or legal advice (unless otherwise indicated). Please consult your own independent advisor as to any investment, tax, or legal statements made.