Cybersecurity checklist and questionnaire
Use this checklist and questionnaire to review and strengthen your plan’s cybersecurity.
- Learn state law requirements that apply to your plan. (While there isn’t a comprehensive federal cybersecurity law, all states have cybersecurity laws.)
- Most states require “reasonable security procedures” that are “appropriate to the nature of the information.”
Factors to consider:
- If your organization operates in more than one state, the laws of each state apply. Requirements under different laws may vary significantly.
- Although ERISA doesn’t explicitly address cybersecurity issues, defining and implementing a comprehensive cybersecurity plan may help you defend against a fiduciary claim based on a cybersecurity breach.
Factors to consider:
If you electronically distribute plan information, you may have a duty under Department of Labor (DOL) regulation Section 2520.104b-1(c) to ensure that the system: (1) results in actual receipt of the transmitted information; and (2) protects the confidentiality of personal information.
Act prudently when choosing service providers who will have access to participant data. It’s important to go through a comprehensive investigation and selection process. To help you get started, the questionnaire in this document includes some questions you may wish to ask potential service providers.
In developing a risk management strategy:
- Understand the types of data associated with the plan.
- Determine how information is accessed, stored, shared, controlled, transmitted and secured (for example, by using encryption).
- Consider the plan’s size, complexity and overall risk exposure to effectively coordinate the plan’s cybersecurity with your broader cybersecurity efforts.
Include the following in your cybersecurity strategy:
Testing Control of access
Updating Data retention and destruction
Reporting Third party risk management
- Delegate responsibility for design and implementation of the plan’s cybersecurity program to a single individual to maximize oversight.
- Update your policy annually to protect against the latest risks.
- Engage experts to help, if necessary.
- Ensure a security assessment process is in place to evaluate all third party service providers who have access to plan data.
- Make sure third party contracts include appropriate protections and a fair allocation of liability risk.
- Determine whether the third party provider has adequate cybersecurity insurance.
- Question each service provider. Potential questions are in the questionnaire included in this document.
- Review your existing insurance policies for cybersecurity coverage.
- If your current insurance doesn’t offer adequate coverage, investigate special cybersecurity coverage.
- Closely review the terms of your cybersecurity coverage.
Please note: Be sure to consider first party coverage, which doesn’t require third party damages or a third party lawsuit). This coverage may include costs associated with direct risk management, disaster response and recovery assistance.
|Cybersecurity questionnaire: Questions for providers|
|Do you have a comprehensive cybersecurity program?|
|What are the elements of your cybersecurity program?|
|How will retirement plan data be maintained and protected?|
|How is data secured while in transit and in storage?|
|What are your protocols for notifying plan management of a breach?|
|Do you subcontract to others? If so, on what protections do you insist in your agreement with the subcontractor?|
|What are your hiring and training practices (for example, background checks, screening practices and cyber training of personnel)?|