4 Cyber Security Tips to Help Protect Your Organization

North Pier Search Consulting | Insights > Due Diligence > 4 Cyber Security Tips to Help Protect Your Organization

Cyber risk is a rapidly growing area of concern for plan sponsors, with millions of individuals already affected by skyrocketing cyber security breaches. It’s imperative that companies prioritize cyber security awareness and best practices, as inadequate policies can have a direct cost to your organization. Close to $600 billion, or nearly 1% of global GDP, has been lost to cybercrime each year, according to the Center for Strategic and International Studies. Along with financial risks, cyber security can cause reputational and regulatory risks, as well. Your organization’s reputation is critically important for maintaining the trust of clients and stakeholders and achieving your objectives. There is also increased scrutiny by regulators and potentially significant costs if cyber security issues are identified.

How do you, as an asset owner, protect your organization, and how do you work with organizations that are well protected?

Retirement plans and retirement plan asset management are often targeted due to information and data being maintained and accessed online. In order to better protect your organization, particularly with respect to your investment advisor, OCIO, or other service provider relationships, we’ve outlined key considerations and steps that can be taken to mitigate exposure to costly events and potential retirement plan penalties.

1. Review the Department of Labor’s Guidance on Cyber Security Best Practices

In 2021, the Department of Labor (DOL) issued cyber security guidance for plan sponsors and fiduciaries, including tips for hiring and monitoring third-party providers, as well as best practices and online security tips to keep your organization safe.

We suggest reviewing the DOL’s guidance, which was issued in three parts, including:

 2. Evaluate How Your Investment Consultant or OCIO Manages/Mitigates Their Cyber Risk

As most plans use third-party service providers including investment consultants and OCIOs, it’s crucial to understand how these providers are performing the necessary cyber security protocols to keep your organization and plan participants safe.

At North Pier, we specialize in helping clients assess the capability of service providers in a wide variety of ways, including cyber security. Based on our experience, we believe a thorough evaluation of your investment consultant or OCIO is recommended to ensure cyber security protocols are robust and efficient. There are a variety of questions to ask your provider, which can be performed through a request for information (RFI) or request for proposal (RFP) process. These questions should include:

  1. Describe how your or your client’s data is secured at all times.
  2. Is all of your or your client’s data kept in the USA?
  3. Do you have a comprehensive cyber security program and policies?
  4. Describe your cyber security internal training and education programs. Do you have an annual independent assessment made of your cybersecurity processes? (i.e., SOC2 report).
  5. Is cyber security planning, updating, and monitoring handled in-house or outsourced?

If it’s time for your organization to evaluate your service provider, learn more about the RFP process here.

3. Assess How Your Investment Consultant or OCIO Evaluates the Cyber Risk of the Organizations They Invest With

You want to ensure that your investment consultant or OCIO is as equally committed to understanding the risk of organizations they’re investing with (and who are also touching your data) as much as they are committed to understanding their own risk.

If your service provider is hiring investment managers on behalf of your plan or investment program, they must perform similar due diligence on these organizations with as much rigor and strength as they do internally.

To understand how your provider is assessing the organizations they work with, ask if they have explicit cyber security policies and requirements for their service providers and investment managers. Apply the same questions one would ask internally to ensure providers are asking detailed enough questions for themselves and third parties.

4. Look Out for Red Flags

The way your investment consultant or OCIO answers questions on cyber security is critical to how they operate. To identify good answers versus bad answers that lead to red flags, watch our recent cyber security webinar, available on demand by registering here.

Want to learn more about how to better understand cyber security protocols, and what red flags to look out for? Register now to receive a recording of our cyber security webinar, co-hosted by Hall Benefits Law, here.

Leave a Reply