SPARK Announces Retirement Industry Best Practices For Reporting Cyber Security Capabilities

With large cyber breaches and hacks becoming a regular occurrence plan sponsors are increasingly focused on insuring their employees’ data is protected within their retirement plans. So, to help plan sponsors the SPARK Institute today announced the development of new Industry Best Practices for how record keepers should report their cyber security capabilities to plan sponsors and plan consultants.

“For years plan sponsors relied on self-reported answers from record keepers about their cyber security capabilities”, said Tim Rouse, the Executive Director of the SPARK Institute. “The problem with this process, beyond the self-reporting aspect, is that both the number of cyber security questions and the intimacy of those questions has dramatically increased over the years,” said Tim Rouse. “The answers to these questions typically get distributed through a vendor RFP process, which raises the concern among record keepers that this information could end up in the wrong hands and actually become a cyber security weakness.” he added.

In response to this problem The SPARK Institute formed a Data Security Oversight Board (DSOB), comprised of both records keepers and members of the plan consultant community. “Our original focus was trying to create a data security standard that all industry players needed to meet. However, we quickly realized that one overarching standard was not only unattainable given the different security frameworks each record keeper uses, but also was bad security policy. If that one standard was breached then everyone’s systems would be at risk” said Doug Peterson, the Chief Risk Officer for Empower Retirement and the Chair of SPARK’s DSOB. “In the end, we chose to standardize how security capabilities are reported, so the plan sponsor would have a uniform way to better compare each vendor” he added.

When a member firm uses SPARK’s Best Practices to describe their overall data security capabilities they must use the 16 identified critical data security control objectives, defined by the Data Security Oversight Board (DSOB). These Best Practices also require members to use an independent third-party auditor. Each audited report, regardless of the security framework used, must include a detailed report showing identified controls mapped to one of SPARK’s 16 control objectives.

“Cyber security is becoming a significant concern for everyone, especially plan sponsors. Plan sponsor governing bodies may not have cyber security expertise, and most plan sponsors outsource their recordkeeping, customer service and marketing services. So, the establishment of standardized reporting of best practices for cyber security with independent certification can be a great comfort and great assistance to plan sponsors” says Keith Overly, the Executive Director of the State of Ohio’s Deferred Compensation Plan. Mr. Overly went on to add, “Plan sponsors often rely on consultants when evaluating recordkeeping services. So, having consultants represented on the SPARK Board played a valuable role providing their unique perspective to the rest of the Board.”

For more information and access to the standards, please contact Tim Rouse at

About The SPARK Institute
The SPARK Institute represents the interests of a broad-based cross section of retirement plan service providers and investment managers, including members that are banks, mutual fund companies, insurance companies, third party administrators, trade clearing firms and benefits consultants. Through the combined expertise of its member companies, the Institute provides research, education, testimony and comments on pending legislative and regulatory issues to members of Congress and relevant Government agency officials. Collectively, its members serve approximately 85 million participants in 401(k) and other defined contribution plans.

Back to news