The Department of Labor (DOL) has undertaken a number of enforcement initiatives over the past several years, including the audit quality study, 408(b) fee disclosure guidelines, the current focus on overall plan governance process and fiduciary responsibility, and, in the near future, cyber security concerns.
The DOL believes that retirement plan administrators should be evaluating their plan’s cyber security governance, including service providers and vendors, as part of their risk assessment. Plan administrators should adopt a three step approach to implement an effective cyber security policy.
1. Identify information assets and perform a risk assessment.
Plan administrators don’t need to be experts in electronic data security but they do need to know what information is relevant to assess potential risks related to their plan information. Risk assessments should include plan management as well as interviews of all cloud and technology service providers to determine how they:
- Manage and protect the data that is transmitted,
- Secure the physical hardware where data is stored, and
- Manage the people that interact with the data.
2. Develop policies and procedures.
Policies and procedures should be developed based on the results and recommendations of the risk assessment. Creating written security policies and procedures, communicating them, and conducting internal training are imperative.
3. Test the policies and procedures.
Many companies stop after step two and don’t test their policies and procedures to determine whether they are effective. But what good is a security system if it is never validated? Testing is the only way to truly verify whether your process is effective. Start by testing backup systems and recovery plans, performing periodic assessments, and understanding your cyber security insurance coverage. Penetration testing is also an effective way to expose areas of weakness or noncompliance in the cyber security process. Those results should be used to adjust your policies and technology accordingly.
Kreischer Miller has identified cyber security risk as a major exposure area for our clients. Our cyber security practice is dedicated to ensuring you have the tools and knowledge to protect your retirement plans and your organization as a whole.
Roman Leshak, Jr. can be reached at Email or 215.441.4600.
You may also like: