Keeping your plan data safe
Cybersecurity is a critical but often overlooked aspect of a plan sponsor’s fiduciary responsibility. In simple terms, cybersecurity means protecting sensitive plan and participant data — and by extension, your participants’ financial well-being and retirement security — against attacks from hackers and cyber criminals.
The Department of Labor has outlined 12 cybersecurity best practices:
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third party audit of security controls.
- Clearly define and assign information security roles and responsibilities.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls in accordance with best security practices.
- Appropriately respond to any past cybersecurity incidents.
To help maintain your fiduciary responsibility, here are 11 key questions you should be asking your 401(k) service providers about cybersecurity:
- What are your procedures for dealing with cybersecurity threats and protecting participants’ personal information?
- Do you conduct periodic risk assessments to identify vulnerabilities to cybersecurity threats and the impact of potential business disruptions?
- Do you conduct an annual, independent assessment of your cybersecurity systems and policies?
- Can you describe how plan and participant data is encrypted (census upload, enrollment, payroll uploads, transfers and other data exchange policies)?
- What are your procedures for notifying us of a system breach?
- Does your company carry cybersecurity insurance? If yes, can you provide an overview of the coverage (including all limitations)?
- Has your company experienced any security breaches? If yes, explain.
- How do you store, retain, and destroy sensitive data?
- Does your company outsource any services to a subcontractor? If yes, what controls are in place to protect our company’s sensitive data?
- Do you have a privacy and security policy, and does the policy apply to personally identifiable information of retirement plan clients?
- Does your business continuity and disaster recovery plan include the recovery of an employer’s data after a breach?
Cybersecurity concerns us all. Whether you are a small business owner or the CEO of a Fortune 100 company, ask your 401(k) service providers these questions and document their responses, because knowing what could cause a data breach is the first step in preventing one.
Toll Free: (866) 364-6262 | Fax: (703) 878-9051
9161 Liberia Avenue
Manassas, VA 20110
Office: (703) 878-9050
11921 Freedom Drive
Two Fountain Square
Reston, VA 20190
Office: (703) 904-4388
This information was developed as a general guide to educate plan sponsors and is not intended as authoritative guidance or tax/legal advice. Each plan has unique requirements, and you should consult your attorney or tax advisor for guidance on your specific situation.
©401(k) Marketing, LLC. All rights reserved. Proprietary and confidential. Do not copy or distribute outside original intent.
 401khelpcenter.com “401k Service Providers and Cybersecurity: Questions to Ask.”