62 US Route One, Cumberland Foreside, ME 04110

(207) 819-0310
Kristin@daybreakfinancial.com
Client Login

401(k) Cybersecurity Questions That Plan Sponsors Should Be Asking

Even if you barely follow the news, you know that corporate data breaches seem to happen almost every day. And although the harmful—and most publicized—exposure of people’s personal information has occurred with the hacking of corporate behemoths like Marriott, Target, Yahoo!, and Equifax, small businesses are by no means immune to information security breakdowns.

A critical but often overlooked aspect of a plan sponsor’s fiduciary oversight is how its recordkeeper or third-party administrator protects employees’ sensitive personal data. But cybersecurity should be near the top of any retirement plan fiduciary’s priority list.

If you’re not sure how to begin the process of safeguarding your company’s retirement plan data, you might start by asking your plan service providers the following questions:

  • What are your procedures for dealing with cybersecurity threats and the protection of our employee participants’ personal information?

  • Do you conduct risk assessments periodically to identify susceptibility to cybersecurity threats and the impact of potential business disruptions?

  • Do you conduct an annual, independent assessment of your cybersecurity systems and policies? • Does your company employ a chief information security officer (or someone in an equivalent position)?

  • How do you store, retain, and destroy sensitive data?

  • Does your business continuity and disaster recovery plan include the recovery of an employer’s data after a breach?

  • Does your company outsource any services to a subcontractor? If yes, what controls are in place to protect our company’s sensitive data?

Remember, as a plan sponsor and fiduciary, among the most critical tasks you have are the prudent selection of service providers and the continuous monitoring of their performance. If your service providers don’t provide satisfactory responses to your cybersecurity questions, or if they aren’t meeting your standards in other categories, you can’t afford to turn a blind eye. Document your interactions and enlist the help of your plan advisor to perform a benchmarking and risk assessment. Together, you can identify the best service providers for your plan and your valued employees.

Cybersecurity thieves adapt to our efforts to foil them at a lightning-fast pace. Be sure to review your internal information security controls and procedures to stay ahead of these criminals and the potential cybersecurity threats they pose.