New Fiduciary Training Resource: Cybersecurity Best Practices

Cybersecurity threats are more frequent in today’s market than ever before. Data protection is critical, whether in the technology sector, the retail industry, or even the financial and consulting field. 

We have created a Fiduciary Training resource that covers the Employee Benefits Security Administration’s (EBSA) recommended best practices for successfully managing retirement plan security. Following this guidance gives more assurance that fiduciary duties will be fulfilled more effectively and that the privacy of participant data is kept intact.  

The EBSA guidelines are as follows: 

Cybersecurity Program Fundamentals

Create a well-designed program that includes the internal and external risks associated with IT infrastructure and plan data security. One must also define the security roles to ensure qualified people run the system.

Risk Assessment and Third-Party Audits

Schedule and perform annual risk evaluations to locate potential cybersecurity threats and verify that the program’s measures are current and effective. Additionally, including third-party audits can help identify hidden vulnerabilities and document corrections for weaknesses discovered over time. 

Access Control and Data Protection

Use strong access control measures to guarantee that authorized users have sole access to confidential information. Data encryption is also needed to protect the privacy and integrity of participant data.  

Third-Part Service Provider Management

Ensure all data managed by a third-party organization or stored in the cloud is protected through intense security reviews and independent evaluations. 

Validate and QA

Administer, at minimum, annual training for all firm members, updating the program to reveal the latest risks identified through assessment. This can also address identity theft and fraud prevention.    

Incident Response and Business Resiliency

Devise a strong incident response plan to prepare for potential cybersecurity attacks. This plan will involve notifying law enforcement and affected parties when applicable. Moreover, an organization's defense program should be instituted to address business continuity, disaster recovery, and incident response, ensuring the plan is annually tested.

You can download our full Fiduciary Training on this topic here. 


Multnomah Group is a registered investment adviser, registered with the Securities and Exchange Commission. Any information contained herein or on Multnomah Group’s website is provided for educational purposes only and does not intend to make an offer or solicitation for the sale or purchase of any specific securities, investments, or investment strategies. Investments involve risk and, unless otherwise stated, are not guaranteed. Multnomah Group does not provide legal or tax advice.

Comment On This Article