Skip to main content

You are here

Cyber Threats: What Fiduciaries Should Know

Cyber security is a growing concern. Is it part of your annual vendor review process?

According to a post on, here are some questions that plan fiduciaries (and, arguably, those who advise them) should ask:

  • Does the service provider conduct periodic risk assessments to identify cyber security threats, vulnerabilities, and potential business consequences?

  • What are the service provider’s processes and systems for dealing with cyber security threats and protection of personally identifiable information?

  • Does the service provider have an annual independent assessment made of its cyber security processes?

  • Does the service provider have a Chief Information Security Officer or equivalent position?

  • Does the company have a privacy and security policy, and does the policy apply to personally identifiable information of retirement plan clients?

  • Is the company’s policy clear with respect to storing personally identifiable information on laptops and portable storage devices? What is that policy?

  • Is advanced authentication used by the company? Can the service provider explain the process?

  • Are technology systems regularly updated?

  • Does the service provider have policies on storing personally identifiable information including where it is stored, how long it is stored, and how it is eliminated?

  • Are all personnel who come in contact with personally identifiable information trained on adequate protection of the information?

  • Does the company carry cyber security insurance? If yes, provide an overview of the coverage.

  • Has the company experienced any security breaches? If yes, explain.