11 Cybersecurity Questions You Should Ask Your Recordkeeping Vendor

One of the most important things a retirement plan service provider is responsible for is securing the Personally Identifiable Information (PII) of participants in the plan. Failure to do so creates a risk to both the participants and to the plan sponsor that selected the provider. However, comparing the data security processes of large financial services organizations can be challenging, especially if your background is not in technology.

The following is a list of questions to help plan sponsors get a better understanding of potential vendors data security process.

  1. Do you have a Chief Information Security Officer (CISO)? If yes, does the CISO manage a team dedicated to cybersecurity-specific activities?

    Organizations should have resources dedicated to security. This allows you to determine the depth of security-dedicated resources at a provider.
  2. Do you have written information security policies? If yes, how are the policies made available to employees?

    Any effort to secure participant data is only as strong as the weakest link in the data custody. Frequently, security breaches are a byproduct of an employee who did not follow published data security protocols.
  3. Do you regularly conduct secure code review and penetration tests against your customer-facing applications?

    Organizations that prioritize data security regularly review their client facing applications to determine where penetrations can occur. Those tests may be conducted internally or by outside providers.
  4. Do you regularly conduct vulnerability scans against your Internet facing IP address space?

    Organizations that prioritize data security regularly review their Internet facing IP address to determine where breaches can occur. Those tests may be conducted internally or by outside providers.
  5. Is PII encrypted at rest? If yes, using what encryption algorithm?

    When PII data sits on provider servers, is it encrypted in such a way that it would no longer be useful to a cybercriminal?
  6. Do you have a written set of written procedures to address security incidents?

    A provider should articulate their process for addressing and remediating any security breach they become aware of.
  7. Do you have documented business continuity and disaster recovery plans? How often are they tested?

    Having a written (and tested) business continuity and disaster recovery plan protects sponsors and participants against regional data losses and server outages, to ensure the plan can continue to operate smoothly.
  8. How does your organization monitor cyber threats and analyze known attacks to determine the likelihood and impact of the attacks to your business?

    Large financial service providers with extensive sums of PII should be monitoring their systems constantly against any attack and adjusting security protocols to address emerging threats.
  9. Are you ISO 27001 certified? If not, which independent third-party security certifications do you hold? Please include the most recent certification.

    Ideally, a provider would enlist external parties to also review security protocols and call out areas for potential improvement.
  10. How do you protect individual customers from identity theft and fraud?

    In the event of PII loss, how are participants protected?
  11. What guarantees/responsibility do you provide in protecting participants retirement benefit assets or other benefits for our plan in case of fraud?

    If fraud leads to a loss of participant funds, what protections are in place to make the participant whole? Are there limits to the guarantees made?

To download a printable list of these questions, please click the button below.

Download the PDF

This resource is a piece in a larger toolkit we have created focused on recordkeeping vendor searches called "Recordkeeping RFPs: How to Prepare, Review, and Evaluate Vendors."

To read and download this toolkit, click here.

Multnomah Group is a registered investment adviser, registered with the Securities and Exchange Commission. Any information contained herein or on Multnomah Group’s website is provided for educational purposes only and does not intend to make an offer or solicitation for the sale or purchase of any specific securities, investments, or investment strategies. Investments involve risk and, unless otherwise stated, are not guaranteed. Multnomah Group does not provide legal or tax advice.

Comment On This Article