PLANSPONSOR - June - July 2022 - 35

BEST PRACTICES | CYBERSECURITY
DOL put out a series of tip sheets to help
companies of all sizes learn the types of
cybersecurity questions to ask. The tip
sheets' guidance breaks down as: how-to's
for hiring a service provider that employs
strong security practices; best practices
for cybersecurity programs; and online
security tips for participants.
" I think, at a minimum, bring up
the tip sheets and discuss them at the
committee meeting, and start thinking
about these things, " Conley says.
Committees may use the tip sheets
as a guide when asking service providers
about their cybersecurity programs and
later when monitoring their work.
Lee especially likes the DOL's questions
to ask when interviewing a recordkeeper,
he says. For instance: What has the
provider's record been? Has it experienced
any breaches? What is its plan in case of a
breach? How would a breach be reported?
And what technical certifications do staff
members have in cybersecurity?
He recommends that plan committees
additionally review the cybersecurity
program best practices
tip sheet,
even though it is targeted toward recordkeepers
and other vendors. " It's a great
reference for committees to see what the
DOL considers best practices and the
types of questions it is likely to ask in the
event of an audit. "
Annual Updates
While asking about such practices should
be built into the RFP and the evaluation
process, " Where many fiduciaries come
up short is the fact that the relationship
with the major recordkeepers has
become routine, " Lee observes. " Have
these cybersecurity conversations with
them not just at renewal time, but also
on a periodic basis. " He recommends
having the recordkeeper and other
service providers make a presentation
about their cybersecurity protocols once
a year at a committee meeting. " That will
be part of your minutes and be well-documented
in case of an audit, " he notes.
Conley
likewise
suggests
that
providers lay out their procedures for the
committee to check. And invite a staff IT
or cybersecurity employee to that meeting;
this person will understand what questions
to ask, she adds.
As hackers
grow more
sophisticated-and
the methods to stop them
must continually evolve-requiring
annual reviews of providers' cybersecurity
practices is key.
" We've eliminated certain providers
because of the SOC 1 and SOC 2 discoveries
we made, " he says. These reports
document internal controls relevant to an
organization's financial statements.
Further, Kane helps plan commitcybersecurity
tees
perform annual
reviews. " We get updates every year from
the recordkeepers, " he says. " And we're
looking at their SOC 1 and SOC 2-not
He recommends having the
recordkeeper and other service
providers make a presentation
about their cybersecurity protocols
once a year at a committee meeting.
" This is a good time to reach out to
your service providers, if they haven't
reached out to you already, in response
to [the DOL] guidance, " says Lee. Some
vendors put out responses detailing how
they addressed each of the issues in the
DOL best practices guide, soon after the
tip sheets were released. " It can be good
to look at any service provider that has
access to sensitive or personal participant
information, because that can be
very valuable, too, " he says.
A Key Area for Advisers
A plan adviser can help with cybersecurity
reviews as well. Mike Kane,
founder and managing director of Plan
Sponsor Consultants, a division of Hub
International, in Atlanta, added cybersecurity
several years ago as one of the key areas
to address when helping plan committees
vet recordkeepers and other vendors.
" We have our own proprietary
recordkeeper, RFP, and we update it all
the time, " Kane says. " We added a cybersecurity
section and questions into the
RFP. " He also studies a firm's System and
Organization Controls 1 and/or 2 audit
reports for more information about how
it handled any cybersecurity situations.
just taking their word for it, " he says.
Besides asking service providers how they
identify, protect and respond to threats,
he asks detailed questions about what
internal testing is done on any threats,
what kind of penetration testing is done,
how often are unannounced assessments
conducted, and what kind of dark web
monitoring they perform.
" We have a discussion with the
committee about cybersecurity and what
the current recordkeeper is doing to meet
all of these criteria, " he says. " Then we go
a step further and request a report that
shows how you meet the cybersecurity
requirements and [DOL] guidance. "
Although most of the focus is on
the plan-and-provider
cybersecurity for
relationships, the third DOL tip sheet-
the online security tips for individuals-
can be the basis for a participant cybersecurity
education program. " There are
steps [plan sponsors] should be aware of
that they can take to protect their assets
in the plan, " says Conley. Plan committees
can sponsor educational events to help
participants learn about cybersecurity,
and some service providers offer cybersecurity
education programs, too.
-Kimberly Lankford
PLANSPONSOR.COM June - July 2022 35
http://www.PLANSPONSOR.COM
PLANSPONSOR - June - July 2022

Table of Contents for the Digital Edition of PLANSPONSOR - June - July 2022
