5 things to do today to improve cybersecurity
Don’t wait until one of your plan participants calls saying that their 401(k) account has been zeroed out to take steps to secure plan information technology systems. Each day there is a risk that your plan will be targeted by cyber criminals or be subject to a Department of Labor (“DOL”) investigation. Over the last few years, a number of participant accounts have been hacked and emptied; plans have been sued; bad press and settlements have followed. In April, DOL issued new tips detailing areas where benefits managers may want to put in place policies and procedures to help reduce these risks. Simultaneous with these tips, DOL has unleashed a wave of investigators tasked with ensuring that corporate retirement plans are using 21st century tools and processes to protect employee retirement savings.
We’ve worked with a number of benefits managers and have identified five things you can do today.
1. Ask “What are we currently doing?”
Do your HR and finance departments have and follow information security policies? Perhaps your company has a general information security policy that applies to the entire company. Maybe you have policies specific to financial information. A helpful first step of getting your plan’s cybersecurity risks under control can be to first determine what you are already doing.
2. Ask “Would the plan suffer if other companies got hacked?”
A second thing you could do is determine which third-party service providers your benefit plans utilize. Common service providers include recordkeepers, third-party administrators, trustees, custodians, actuaries, and account auditors. Making this list can be a key step towards being able to create a holistic picture of your plan’s cybersecurity vulnerabilities and defenses.
3. Ask “What are they currently doing?”
We often see benefits managers start by looking at their contracts with service providers. You can go further though and ask them directly what they are doing. In fact, DOL provided a list of conversation starters in April 2021. If you don’t have the resources to ask every service provider, you could prioritize your outreach based upon which vendors either have certain types or quantities of information or which vendors are actually holding the plan and participant investments.
4. Understand what you collected.
It is great to know what you are doing and what your service providers are doing, but with cybersecurity it is not always easy to make sense of the information you have collected. Cybersecurity is a jargon heavy industry with terms like multi factor authentication, configuration management, and cloud computing. Seek in-house or third-party help if needed to determine if you are comfortable with the policies. Start with your information technology team, but involve outside consultants and outside counsel to evaluate if the policies are adequate. If there is something that does not seem right or if there is a gap, flag it.
5. Revise and repeat.
If policies should to be improved, if you conclude that more training should take place, or if you conclude that your service providers are not pulling their weight, work with outside counsel to develop procedures, training, and contracts that better protect the plan. Most service providers take cybersecurity very seriously and will work with you to implement enhancements.
Finally, cybersecurity isn’t a set it and forget it area. Cyber criminals continue to evolve, and as they evolve cybersecurity evolves. Even if you conclude that your plan’s cybersecurity is top notch, it makes sense to repeat these steps on a regular basis.
Allison Itami and Kevin Walsh are both principals at Groom Law Group, Chartered. Their practices encompass assisting plan fiduciaries with understanding their responsibilities and helping them develop processes and systems for meeting and documenting compliance. In addition to this prophylactic assistance, they and their colleagues at Groom Law Group defend plan fiduciaries and plan sponsors in Department of Labor investigations and fiduciary litigation. For more information visit www.groom.com.
Gloss