In an analysis of certain issues that intersect cybersecurity and investment management, a recent Pension & Investments (P&I) article detailed the processes by which third-party service providers of retirement plans are being evaluated for their cybersecurity procedures. Among other professionals who provided input for the article, Morgan Lewis partners Marla Kreindler and Michael Pillion contributed valuable insight concerning the issue.
P&I observes that cybersecurity requirements are becoming increasingly important considerations for defined benefit and defined contribution plans in their selection of and contractual relationship with third-party investment service providers, a trend that is consistent with that being observed across myriad industries (and for good reason!). As noted in the article, managing cybersecurity risk with respect to third-party service providers involves multiple ongoing processes, including performing thorough due diligence of providers prior to their engagement; addressing specific security risks, processes, procedures, and liabilities as early as the request for proposal (RFP) stage and continuing throughout negotiations with a provider; and periodic monitoring of cybersecurity compliance for the duration of the relationship. As Ms. Kreindler explains in the article, “[u]ltimately (data security) is still the plan sponsor’s responsibility. They can’t just contract out responsibility for data breaches to third parties . . . . It’s not just about the contract. It’s who is the plan sponsor choosing as a service provider.”
According to a recent U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations report referenced by P&I, 74% of surveyed investment advisers reported being subject to a cyber-related incident directly or through their third-party service providers. An equally alarming trend of the SEC report is that just 32% of these respondents apply periodic cybersecurity risk assessments to outside vendors, even though 79% of such respondents reported conducting assessments of their own security. In addition to review of investment managers that provide services to a plan, these managers’ outsourced vendors of the managers are (or should be) subject to cybersecurity review, including custodians, fund administration, and other middle- and back-office providers. In practice, the article notes that any vendor that has access to the plan’s or a provider’s data should be subject to measured cybersecurity review processes, regardless of the service being provided.
By including cybersecurity capabilities and technology as part of a plan’s due diligence of potential third-party service providers, the plan is able to limit candidates to those who appear capable of meeting the plan’s requirements. Similarly, by including data protection and privacy provisions in RFPs to service providers, the plan is able to frame the issue of cybersecurity and compare RFP respondents’ approaches.
Other concerns articulated in the article include cybersecurity requirements that address both physical and remote access controls and both intentional and accidental security breaches.