QOTW: Cybersecurity

This week we asked plan sponsors if they had made any changes as a result of the DOL Guidance on Cybersecurity. 

Three-fourths have not, though it is clearly on their minds and on their to-do lists.

Some plan sponsors had already made changes that exceed the DOL guidance, some have it scheduled for meetings with their providers, and some have disseminated the DOL online security tips to participants. Sponsors can read more tips here and here. Additional comments from our readers follow.

Plan sponsors who have made changes:

- Increased communications to participants
- IT is diligently working on updates, processes.
- Our consultant has submitted a questionnaire to our recordkeeper and will be providing us with that feedback and comments. Our internal Cybersecurity team is addressing all security within the company and its vendors. We hope to put a cybersecurity policy for the plan in place when all of this is done.
- To fulfill this duty, we review Fidelity's security protocols to reduce the likelihood that our employees' retirement plans will fall victim to a data breach or theft of plan assets. We have asked participants can take a few simple steps to help reduce their risk with two-step verifications upon logging into accounts.
- We are including the DOL tips in Annual Enrollment (Health plans); AFN (pension) and Fee Disclosure (401k) mailings.  We also reviewed contracts to ensure they align with recommended guidance and requested penetration testing results and SOC2s from vendors
- We have upgraded systems significantly in the recent months. We have also created a new position, Director of Privacy, Security & Data Compliance, to oversee this initiative.
- We requested copies of our vendor cyber audits.
 

Plan sponsors who have not made changes:

- Although we have not made any changes up to this point, we are looking into the subject and plan on putting together a procedural action plan.
- Definitely need to add as a topic of conversation for upcoming retirement committee meetings
- Our Plan Administrative Committee recently discussed cybersecurity with our Plan Recordkeeper and our Company's IT Group.  We are encouraging our Plan Participants to enroll for two factor identification for access to their Plan account.
- The guidance will sure-up what we already have in place or have started prior to 2021
- We already exceed the DOL guidance.
- We are currently reviewing the guidelines and comparing to the protocols in place via our vendors.
- We are making sure our recordkeeper conforms as their system is the "keeper" of all of our participants' 401(k) information.
- We have been working with our vendors to review their policies and our internal policies to ensure we meet at least the minimum requirements per the guidance.  So far, we and our vendors meet the minimum requirements, but may look at enhancing our cybersecurity further.
- We have not responded with improvement in our cybersecurity specifically based on DOL Guidance.  However, I would point out that we have made improvements and the improvements correspond with the DOL Guidance.
- We have posted a link to the DOL cybersecurity tips for participants in our monthly newsletter, to try to make employees aware that they need to be more aware, but our institution has its own cyber security team that sends out information concerning our institutional system security, and our recordkeepers are really the ones who have to put the extra security steps in place.
- We reviewed this with legal counsel as well as the record keeper.
- We will evaluate the guidance and get an update from our consultant at our next board meeting.