Standard Definition of a Security Breach

Most people have heard of a cyber security breach and cyber fraud, but do they really know what those terms means? Under what circumstances should a recordkeeper inform a plan sponsor about a cyber-related event? It turns out that there is a lot more disagreement on the definitions than you’d think.

As more plan sponsors focus on the cyber security capabilities of their record keepers’ terms like ‘security breach’ and ‘cyber fraud’ become key issues in contracts. However, without commonly accepted definitions plan sponsors and record keepers spend a lot of time defining these terms. The Spark Institute, through the work of its Data Security Oversight Board (DSOB), developed common definitions for these terms and are making them publicly available.

Dennis Lamm, a member of SPARK’s DSOB from Fidelity Investments headed up the task force responsible for developing these common definitions. “It’s important to keep in mind that these definitions serve as guidelines and do not supersede state and/or federal laws, legislation, or regulation”, says Dennis. He added that “Our objective was to create a reasonable approach consistent with best practices and industry standards that will serve to protect participants, simplify discussions and get to an agreement more quickly.”

SPARK’s DSOB Task Force spent 11 months working with definitional examples from national cyber standards, international regulations, state privacy laws, and dozens of client contracts and gathering insights from the plan consultant representatives on the board. Rasch Cousineau, a Senior Consultant with the Hyas Group shared his thoughts on the new definitions, “As Plan Fiduciaries evaluate their third-party vendors, cyber security measures and standards have become increasingly relevant. These definitions provide a level platform for vendor evaluation as it relates to cyber security breach and fraud.”

For more information, please contact Tim Rouse by emailing tim@sparkinstitute.org.

About the SPARK Institute
The SPARK Institute represents the interests of a broad-based cross section of retirement
plan service providers and investment managers, including members that are banks, mutual fund
companies, insurance companies, third-party administrators, trade clearing firms, and benefits
consultants. Through the combined expertise of its member companies, the Institute provides
research, education, testimony, and comments on pending legislative and regulatory issues to
members of Congress and relevant Government agency officials. Collectively, its members serve
approximately 100 million participants in 401(k) and other defined contribution plans.

Back to news