5 Things to do today to improve cybersecurity
Don't wait until one of your plan participants calls saying that their 401(k) account has been zeroed out to take steps to secure plan information technology systems. Each day there is a risk that your plan will be targeted by cyber criminals or be subject to a Department of Labor (DOL) investigation.
In April 2021, DOL issued new tips detailing areas where benefits managers may want to put in place policies and procedures to help reduce these risks.
Simultaneous with these tips, DOL has unleashed a wave of investigators tasked with ensuring that corporate retirement plans are using 21st century tools and processes to protect employee retirement savings.
Here are five things you can do today.
1. Ask "What are we currently doing?"
Do your HR and finance departments have and follow information security policies? Perhaps your company has a general information security policy that applies to the entire company. Maybe you have policies specific to financial information. A helpful first step of getting your plan's cybersecurity risks under control can be to first determine what you are already doing.
2. Ask "Would the plan suffer if other companies got hacked?"
A second thing you could do is determine which third-party service providers your benefit plans utilize. Common service providers include recordkeepers, third-party administrators, trustees, custodians, actuaries, and account auditors. Making this list can be a key step towards being able to create a holistic picture of your plan's cybersecurity vulnerabilities and defenses.
3. Ask "What are they currently doing?"
Benefits managers often start by looking at their contracts with service providers. You can go further though and ask them directly what they are doing. In fact, DOL provided a list of conversation starters in April 2021. If you don't have the resources to ask every service provider, you could prioritize your outreach based upon which vendors either have certain types or quantities of information or which vendors are actually holding the plan and participant investments.
4. Understand what you collected
It is great to know what you are doing and what your service providers are doing, but with cybersecurity it is not always easy to make sense of the information you have collected. Cybersecurity is a jargon heavy industry with terms like multi factor authentication, configuration management, and cloud computing. Seek in-house or third-party help if needed to determine if you are comfortable with the policies. Start with your information technology team, but involve outside consultants and outside counsel to evaluate if the policies are adequate. If there is something that does not seem right or if there is a gap, flag it.
5. Revise and repeat
If policies should to be improved, if you conclude that more training should take place, or if you conclude that your service providers are not pulling their weight, work with outside counsel to develop procedures, training, and contracts that better protect the plan. Most service providers take cybersecurity very seriously and will work with you to implement enhancements.
Finally, cybersecurity isn't a set it and forget it area. Cyber criminals continue to evolve, and as they evolve cybersecurity evolves. Even if you conclude that your plan's cybersecurity is top notch, it makes sense to repeat these steps on a regular basis.
Voya is aligned with Department of Labor cybersecurity best practices
On April 14, 2021, the Department of Labor (DOL) published information security guidance to ERISA plans. Voya’s information security program has been built on a foundation using recognized best practices and information security frameworks. It is aligned to the core standards highlighted by the DOL.
Read related content:
- U.S. Department of Labor steps into the cybersecurity discussion
- How can plan sponsors help prevent business email compromise