In a recent webinar, an industry expert offered some insights on cybersecurity in light of the Department of Labor’s (DOL) recent guidance on cybersecurity.
Speaker Mark Strosahl, Business Information Security Officer at Principal Financial, set the table by noting that Infosecurity Magazine has reported that the volume of compromised records around the world has increased by 224% every year since 2017. And in just the first five months of 2021, he added, the number of questions his firm answers in a month related to the subject has risen by 220%.
“A lightbulb turned on” with the release of the Department of Labor’s cybersecurity guidance, said Strosahl. “It became a topic that could no longer be ignored and had to be addressed,” he said. Strosahl highlighted some aspects of cybersecurity that go beyond the letter of the guidance.
Customer Protection Guarantees
Customer protection guarantees—a means by which businesses demonstrate their commitment to protecting clients’ data, information and assets—are not required by the DOL guidance, Strosahl said. Nonetheless, he said, they are becoming an industry standard. He added that Principal had used one informally and added one formally in writing in 2018.
Their customer protection guarantee, for instance, states that their company will reimburse an employer-sponsored retirement account for losses from unauthorized activity occurring through no fault of the account holder. It does not cover:
- losses that result from sharing credentials with other individuals and/or not adequately securing credentials from family members and acquaintances;
- distributions that were transferred to outside accounts a participant owns;
- distribution checks that were mailed to the participant address that is on file, but that someone else fraudulently cashed; and
- fraudulent activity, malware or breaches of security by the plan sponsor, financial professional or third-party administrator.
Their guarantee also makes suggestions regarding best practices for keeping personal data secure:
- Log in to an account frequently.
- Have strong, unique passwords.
- Protect and do not share login credentials.
- Use an authenticator app to receive notifications regarding authentication.
- Sign up for notifications on account changes so you can be alerted in real-time.
- Make sure that contact information is up to date.
- Read correspondence from financial service providers.
- Report anything that is out of the ordinary.
- Use virus protection on devices.
SOC 2 Reports
An SOC 2 report— a type of audit that focuses on internal controls that govern the services provided to an organization’s clients—is intended to ensure that service organizations provide a safe operating environment in which they are easily able to manage sensitive data and protect the organization’s interests as well as clients’ privacy. SOC 2 reports are mandatory for all engaged, technology-based service organizations that store client information in the cloud. Strasahl said that SO 2 reports demonstrate that the industry is evolving and the importance of establishing a consistent standard.
Cooperation
Unfortunately, said Strasahl, there are shortages of cybersecurity experts across the industry. Consequently, he suggested, cooperation will help. “Let’s continue to find ways to work together for small and medium-sized businesses,” he said.
- Log in to post comments