Evaluating cybersecurity program maturity

A strong cybersecurity program is beneficial not only for plan sponsors, but also for vendors and suppliers.

External program testing

Mature programs often hire outside parties to extensively test their programs. It’s commonly referred to as “black box testing” or “penetration testing.” The firm may then offer a sanitized summary of the results to external parties.


A strong foundation

Mature programs contain core elements, such as strong authentication, an employee awareness training program, logging, and a written information security policy.



A mature program is considered an organizational priority and, therefore, is adequately funded and staffed.


Cyberfraud defenses

Mature cybersecurity programs include anti-fraud technical controls, advanced technologies and partnership with the firm’s fraud and anti-money laundering (AML) teams.


Talk to cybersecurity senior leaders

You can learn a lot by speaking directly to the leadership of a cybersecurity program.


The more you know about the cybersecurity programs of the vendors and suppliers who may have access to your clients’ confidential data, the better you can help them evaluate their controls and make informed risk decisions about which vendors and suppliers to use.