401k Service Providers and Cybersecurity: Questions to Ask
401k plan fiduciaries have an obligation to secure and keep private the personally identifiable information of plan participants and beneficiaries. Part of this essential task is ensuring that plan service providers take cybersecurity preparedness and plan data protection seriously.
Enquiring about and examining the cybersecurity policies and procedures of current service providers, and documenting the process and results, should be part of every plan's annual vendor review.
Here are some questions you should be asking:
Does the service provider conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences?
What are the service provider's processes and systems for dealing with cybersecurity threats and protection of personally identifiable information?
Does the service provider have an annual independent assessment made of its cybersecurity processes?
Does the service provider have a Chief Information Security Officer or equivalent position?
Does the company have a privacy and security policy, and does the policy apply to personally identifiable information of retirement plan clients?
Is the company's policy clear with respect to storing personally identifiable information on laptops and portable storage devices? What is that policy?
Is advanced authentication used by the company? Can the service provider explain the process?
Does the company: (1) conduct cyber risk assessments of critical systems; (2) conduct penetration tests and vulnerability scans of critical systems; and (3) perform regular patch management and system maintenance?
Are the company's Microsoft based servers and PCs (in all forms) running the latest operating system and are these systems regularly updated? If no to any part, explain.
Does the service provider have policies on storing personally identifiable information including where it is stored, how long it is stored, and how it is eliminated?
Are all personnel who come in contact with personally identifiable information trained on adequate protection of the information?
What are the service provider's procedures for notifying the employer of a breach of service provider's system?
Does the company carry cybersecurity insurance? If yes, provide an overview of the coverage including all limitations.
What level of financial and fraud coverage is provided?
Are there any limitations on the service provider's liability?
Has the company experienced any security breaches? If yes, explain.
Asking these cybersecurity risk assessments questions should also be part of any vendor RFP.
If you are not able to understand or make a knowledgeable assessment of the responses to these question, you should hire a skilled third-party expert to assist you.