In its report released on March 15, 2021, “Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans”, the Government Accountability Office (GAO) found that plan sponsors and administrators, along with their supply chain vendors, share a variety of personally identifiable information (PII) and plan asset data as they perform their fiduciary and contracted duties, respectively. By sharing this information, there is a significant cybersecurity risk to all parties involved including plan participants (figure 1). GAO recommended among other things, that the Department of Labor (DOL) issue guidance to plan sponsors and record keepers establishing minimum expectations for addressing cybersecurity risk. Following the GOA recommendation, the DOL issued best practice guidance providing a high-level starting point for implementing cybersecurity.
While these best practices do not apply to all retirement plans, a similar level of risk is shared across all of them.
How should fund managers strategically approach implementing DOL’s best practice guidance?
Funds should consider conducting a comprehensive risk assessment to understand their cybersecurity risk exposure. The scope of the risk assessment should include all data processing activities performed by the funds people, process, and technology. This includes third parties.
Absent a definitive set of regulatory requirements, funds should consider assessing their cybersecurity risk leveraging a widely accepted framework like the NIST Cybersecurity Framework. By leveraging a widely adopted framework, funds are well positioned to comply with the emergence of future regulatory requirements.
The NIST Cybersecurity framework establishes a common language and cybersecurity standards across all industries. The framework is based upon five functional areas: identify, protect, detect, respond, and recover. These five functional areas each have corresponding categories and sub-categories of control standards that systematically
address commonly shared risk areas agnostic of industry or technology.
In addition to conducting a risk assessment, it is also helpful to include industry benchmark data as part of a comprehensive risk assessment. This helps fund leadership to contextualize its risk exposure relative to its industry.
A risk assessment provides a detailed summary of a Funds security program – describing strengths, weaknesses, and improvement recommendations. To make it actionable from a management perspective, being clear about what is important helps with decision-making.
Funds should establish a risk-informed roadmap that systematically addresses the most impactful cybersecurity risks first. In developing the roadmap, Funds should prioritize projects and activities that mitigate the most significant areas of risk exposure. Additionally, the roadmap must also include project-level cost estimates. This provides complete context for remediation.
Inevitably there will be more risk remediation projects than there are resources to immediately mitigate them. The risk-based roadmap will help the Funds board, leadership, and staff remain aligned with respect to near-term and long-term priorities. It highlights cybersecurity program improvements and a clear path for project priorities should additional resources become available.
Cybersecurity is a technically complex discipline that continually evolves. A common mistake made is over-communicating cybersecurity in technical terms to Fund leadership. Avoid wrestling with the terminology and technical lingo. Rather, Funds should focus their managerial and leadership communications around risk and risk mitigation outcomes.
The risk assessment and roadmap should align and support the Fund’s business goals and risk appetite. Risk assessment and roadmap data should be modeled in dashboards that speak in the Fund’s business terms. There should be clear correlation between risk projects and business goals.
Funds need to be thinking about the necessary practices to institutionalize strong cybersecurity management. One obvious area would be to consistently re-evaluate the Fund’s cybersecurity program annually. A consistent periodic review would demonstrate continual improvement. This continual review also has second and third order effects on Fund culture, emphasizing that cybersecurity is an important risk element to continually manage.
Cybersecurity is a growing risk all Funds face. DOL’s recently issued guidance provides a high-level starting point which may evolve into regulatory requirements. By taking prudent steps to understand a Fund’s risk exposure, their risk-based decision making, cost to remediate, and business-oriented communications, the groundwork can now be laid to effectively strengthen cybersecurity for the future.
Peter Dewar is President of Linea Secure LLC. Peter has performed cybersecurity and analysis services for 17 pension and benefits organizations, has authored national and international articles on pension fund cybersecurity compliance, and has presented cybersecurity awareness seminars to pension boards and conferences.
Russ Ficken, former Director of Agency Engagement for Cyber Security at the U.S. Office of Management and Budget, is a Director specializing in cybersecurity with Grant Thornton Public Sector LLC.