Defined contribution plan executives must ask many questions of service providers about the scope of their cybersecurity policies and practices. The questions should be asked not only of current providers but also when issuing RFPs, according to 401khelpcenter.com, which compiled the following questions:
• Has the company experienced any security breaches? If yes, explain.
• Does the company carry cybersecurity insurance? If yes, provide an overview of the coverage.
• Does the service provider conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences?
• What are the service provider's processes and systems for dealing with cybersecurity threats and protection of personal identifiable information?
• Does the service provider have an annual independent assessment made of its cybersecurity processes?
• Does the company have a privacy and security policy, and does the policy apply to personal identifiable information of retirement plan clients?
• Is the company's policy clear with respect to storing personal identifiable information on laptops and portable storage devices? What is that policy?
• Are technology systems regularly updated?
• Does the service provider have policies on storing personal identifiable information including where it is stored, how long it is stored, and how it is eliminated?
• Is advanced authentication used by the company? Can the service provider explain the process?
• Are all personnel who come in contact with personal identifiable information trained on adequate protection of the information?
• Does the service provider have a chief information security officer or equivalent position?
