Defined Contribution

Cybersecurity for DC Plans

Your Plan Will Face a Cyberattack. Here's What You Need to Know
clock
1 min 45 sec

Defined contribution consultant Ben Taylor recently spoke about cybersecurity at Pensions & Investments West Coast Defined Contribution Conference in San Diego, specifically on how to define a breach. Watch Ben’s description here (subscription required).

In addition, Jana Steele and Ben have collaborated on a paper on the topic of cybersecurity, which addressed a wide range of issues related to how DC plan sponsors should prepare for the almost inevitable threat of a cyberattack on employee data.

In their paper, Jana and Ben said that one of the most difficult challenges for plan sponsors is determining where to start to defend against increasingly sophisticated cyberattacks.

To begin the process, plan sponsors should address the following questions:

  • What is their internal risk?
  • Where does their employees’ personal data go and how is it transmitted and stored (e.g., to third parties, or maintained on a server or in the cloud)?
  • Have they conducted appropriate due diligence on their vendors, and the partners that those vendors may share data with?
  • How does the organization define a “breach”?
  • How do their vendors define a “breach,” and what triggers disclosure?
  • How do they monitor their internal processes and procedures and their external partners on an ongoing basis?
  • Do contracts and agreements cover indemnification, notification procedures (i.e., does the vendor have to notify the sponsor when it discovers a breach, or only after the breach has been contained), and remediation?
  • What is the sponsors and vendors’ process for when they experience a breach?

Callan recommends plan sponsors then take these steps to address their cybersecurity vulnerabilities and prepare for an inevitable attack:

  • Explore the appropriate options for a cybersecurity framework—which provides guidance for how organizations can assess and improve their ability to prevent, detect, and respond to cyberattacks—and make an informed choice for the organization
  • Implement solutions, guidelines, and protocols for that cybersecurity framework
  • Review the cyber protections in place at the organization’s vendors, and their vendors that may have access to plan participants’ personally identifiable information
  • Consider how data protection is covered in contracting, specifically assessing the indemnification, notification, and remedies outlined in the agreements
  • Take inventory of what is covered or not covered by any cyberinsurance policy the organization has in force or is considering.

Posted by

Share
Share on facebook
Share on twitter
Share on linkedin
Related Posts
Operations

Financial Wellness: Is It the Right Prescription for Your DC Plan?

Jana Steele
Jana Steele provides a summary of her recent white paper on financial wellness options for DC plans.
Operations

Department of Labor Provides Cybersecurity Guidance

Benjamin Taylor
An excerpt from an article by Ben Taylor on new cybersecurity guidance.
Operations

DOL Proposes Tightened Proxy Voting Guidelines

Patrick Wisdom
The department’s new proposal dovetails with SEC guidance finalized in 2020 and would create a refined set of circumstances in which plan fiduciarie...
Operations

Fine-Tuning Implementation of the CARES Act

Jana Steele
The IRS has issued two notices and a FAQ to clarify how defined contribution (DC) plan sponsors should implement the provisions of the act, touching o...
ESG

DOL Calls for Stricter Rules Around ESG Investing in Retirement Plans

Thomas Shingler
Operations

Our DC Index Had a Noteworthy First Quarter

Patrick Wisdom
Operations

DOL Issues Common-Sense Information Letter About Private Equity in DC Plans

DC Consulting Group
Operations

Callan Survey: DC Plan Response to CARES Act Varied by Industry and Recordkeeper

Jana Steele
Operations

Freezing or Suspending Matching Contributions: Requirements and Timing

Jana Steele
Operations

Guidance on Substantial Workforce Cuts and DC Plan Terminations

Jana Steele

Callan Family Office

You are now leaving Callan LLC’s website and going to Callan Family Office’s website. Callan Family Office is not affiliated with Callan LLC.  Callan LLC has licensed the Callan® trademark to Callan Family Office for use in providing investment advisory services to ultra-high net worth clients, family foundations, and endowments. Callan Family Office and Callan LLC are independent, unaffiliated investment advisory firms separately registered with the Securities and Exchange Commission under the Investment Advisers Act of 1940.

Callan LLC is not responsible for the services and content on Callan Family Office’s website. Inclusion of this link does not constitute or imply an endorsement, sponsorship, or recommendation by Callan LLC of their website, or its contents, and Callan LLC is not responsible or liable for your use of it. When visiting their website, you are subject to Callan Family Office’s terms of use and privacy policies.