NAPA Net - Polling Places 050621

Are Your Plan(s) Cybersecure?

Last week the DOL’s Employee Benefit Security Administration unveiled a set of “best practices” on cybersecurity practices – and, perhaps more intriguingly - on cybersecurity considerations in hiring providers.

The publication comes within a month of a report from the Government Accountability Office (GAO) calling for some definitive DOL guidance on the issue – specifically noting that “The Department of Labor hasn't clarified whether plan administrators are responsible for mitigating cybersecurity risks and hasn’t set minimum expectations for protecting personal information.”

It wasn’t exactly guidance – but it IS an issue of increasing importance to plan sponsors – and the DOL.

So, this week we’d like to know which, if any, of the best practices you’ve advocated with your plan sponsor clients – and which of the standards in hiring considerations you have already embraced, or are thinking about.

Question Title

* 1. Will/have cybersecurity be an issue for your plan committee meetings this quarter?

Yes, it's on my agenda.

Yes, it's on their agenda.

Not sure.

No.

Not yet - but later this year.

Any comments?

Question Title

* 2. Generally speaking, which of the following cybersecurity measures do the plans you work with have in place (check all that apply)?

Cybersecurity awareness campaigns

Email alerts/communications about cybersecurity issues.

Use multi-factor authentication to make plan changes.

Have a written cybersecurity policy.

Insist on using provider with an established cybersecurity policy.

Any comments?

Question Title

* 3. What will be the focus of those discussions (check all that apply?

General update on cybersecurity issues.

Discussion about the recent EBSA publication(s).

Recent litigation regarding cybersecurity incidents.

Recommendation(s) about updates/changes to cybersecurity policies.

Recommendation(s) about provider cybersecurity reviews.

Review of current cybersecurity policies/procedures.

Discussion/decision regarding change in providers due to cybersecurity concerns.

None of the above.

Any comments?

Question Title

* 4. Generally speaking, among the providers you recommend, what is the status of the following cybersecurity best practices for recordkeepers identified by EBSA?

	Have in place	Not yet, but planning to have in place.	Don't have in place.	Don't know.
Have a formal, well documented cybersecurity program.	Have a formal, well documented cybersecurity program. Have in place	Have a formal, well documented cybersecurity program. Not yet, but planning to have in place.	Have a formal, well documented cybersecurity program. Don't have in place.	Have a formal, well documented cybersecurity program. Don't know.	Have a formal, well documented cybersecurity program.
Conduct prudent annual risk assessments.	Conduct prudent annual risk assessments. Have in place	Conduct prudent annual risk assessments. Not yet, but planning to have in place.	Conduct prudent annual risk assessments. Don't have in place.	Conduct prudent annual risk assessments. Don't know.	Conduct prudent annual risk assessments.
Have a reliable annual third party audit of security controls.	Have a reliable annual third party audit of security controls. Have in place	Have a reliable annual third party audit of security controls. Not yet, but planning to have in place.	Have a reliable annual third party audit of security controls. Don't have in place.	Have a reliable annual third party audit of security controls. Don't know.	Have a reliable annual third party audit of security controls.
Clearly define and assign information security roles and responsibilities.	Clearly define and assign information security roles and responsibilities. Have in place	Clearly define and assign information security roles and responsibilities. Not yet, but planning to have in place.	Clearly define and assign information security roles and responsibilities. Don't have in place.	Clearly define and assign information security roles and responsibilities. Don't know.	Clearly define and assign information security roles and responsibilities.
Have strong access control procedures.	Have strong access control procedures. Have in place	Have strong access control procedures. Not yet, but planning to have in place.	Have strong access control procedures. Don't have in place.	Have strong access control procedures. Don't know.	Have strong access control procedures.
Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.	Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments. Have in place	Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments. Not yet, but planning to have in place.	Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments. Don't have in place.	Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments. Don't know.	Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
Conduct periodic cybersecurity awareness training.	Conduct periodic cybersecurity awareness training. Have in place	Conduct periodic cybersecurity awareness training. Not yet, but planning to have in place.	Conduct periodic cybersecurity awareness training. Don't have in place.	Conduct periodic cybersecurity awareness training. Don't know.	Conduct periodic cybersecurity awareness training.
Implement and manage a secure system development life cycle (SDLC) program.	Implement and manage a secure system development life cycle (SDLC) program. Have in place	Implement and manage a secure system development life cycle (SDLC) program. Not yet, but planning to have in place.	Implement and manage a secure system development life cycle (SDLC) program. Don't have in place.	Implement and manage a secure system development life cycle (SDLC) program. Don't know.	Implement and manage a secure system development life cycle (SDLC) program.
Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.	Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response. Have in place	Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response. Not yet, but planning to have in place.	Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response. Don't have in place.	Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response. Don't know.	Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
Encrypt sensitive data, stored and in transit.	Encrypt sensitive data, stored and in transit. Have in place	Encrypt sensitive data, stored and in transit. Not yet, but planning to have in place.	Encrypt sensitive data, stored and in transit. Don't have in place.	Encrypt sensitive data, stored and in transit. Don't know.	Encrypt sensitive data, stored and in transit.
Implement strong technical controls in accordance with best security practices.	Implement strong technical controls in accordance with best security practices. Have in place	Implement strong technical controls in accordance with best security practices. Not yet, but planning to have in place.	Implement strong technical controls in accordance with best security practices. Don't have in place.	Implement strong technical controls in accordance with best security practices. Don't know.	Implement strong technical controls in accordance with best security practices.
Appropriately respond to any past cybersecurity incidents.	Appropriately respond to any past cybersecurity incidents. Have in place	Appropriately respond to any past cybersecurity incidents. Not yet, but planning to have in place.	Appropriately respond to any past cybersecurity incidents. Don't have in place.	Appropriately respond to any past cybersecurity incidents. Don't know.	Appropriately respond to any past cybersecurity incidents.

Question Title

* 5. Other comments about cybersecurity, cybersecurity concerns, lack of cybersecurity concerns, criteria for evaluating cybersecurity concerns, concerns about cybersecurity concerns, or life in general?

Question Title

* 6. What is your role working with retirement plans?

Advisor

Provider

TPA

Plan sponsor

Recordkeeper

Wholesaler

Consultant

Other (please specify)

Question Title

* 7. What size plans do you work with PRIMARILY?

Under $10 million in assets

$10-$20 million

$20-$50 million

$50-100 million

$100 million - $250 million

$250 million - $500 million

Above $500 million

Other (please specify)

Question Title

* 8. Suggestions for future survey questions? Seriously - what would you like to know about/from your fellow NAPA-Net readers? Or what would you like to be asked?

Question Title

* 9. All responses are confidential, of course - but just in case you would like a response - or want me to know you responded - or just want to say hi - here's your chance to do so (don't forget your email)!