Skip to main content

You are here


Cyber Threats: What Fiduciaries Should Know

Cyber security is a growing concern. Is it part of your annual vendor review process?

A recent report in Pensions & Investments (free registration required) cites Graig Vicidomino, associate director at Crystal & Co., a New York-based insurance broker, noting that while DC plan sponsors have not asked about cyberinsurance for their plans, in the past 12 to 24 months they've been asking much more about the coverage that their current or potential service providers have.

According to a post on, here are some questions that plan fiduciaries (and, arguably, those who advise them) should ask:

  • Does the service provider conduct periodic risk assessments to identify cyber security threats, vulnerabilities, and potential business consequences?

  • What are the service provider's processes and systems for dealing with cyber security threats and protection of personally identifiable information?

  • Does the service provider have an annual independent assessment made of its cyber security processes?

  • Does the service provider have a Chief Information Security Officer or equivalent position?

  • Does the company have a privacy and security policy, and does the policy apply to personally identifiable information of retirement plan clients?

  • Is the company's policy clear with respect to storing personally identifiable information on laptops and portable storage devices? What is that policy?

  • Is advanced authentication used by the company? Can the service provider explain the process?

  • Are technology systems regularly updated?

  • Does the service provider have policies on storing personally identifiable information including where it is stored, how long it is stored, and how it is eliminated?

  • Are all personnel who come in contact with personally identifiable information trained on adequate protection of the information?

  • Does the company carry cyber security insurance? If yes, provide an overview of the coverage.

  • Has the company experienced any security breaches? If yes, explain.