Cyber risk is a rapidly growing area of concern for plan sponsors, with millions of individuals already affected by skyrocketing cyber security breaches. It’s imperative that companies prioritize cyber security awareness and best practices, as inadequate policies can have a direct cost to your organization. Close to $600 billion, or nearly 1% of global GDP, has been lost to cybercrime each year, according to the Center for Strategic and International Studies. Along with financial risks, cyber security can cause reputational and regulatory risks, as well. Your organization’s reputation is critically important for maintaining the trust of clients and stakeholders and achieving your objectives. There is also increased scrutiny by regulators and potentially significant costs if cyber security issues are identified.
How do you, as an asset owner, protect your organization, and how do you work with organizations that are well protected?
Retirement plans and retirement plan asset management are often targeted due to information and data being maintained and accessed online. In order to better protect your organization, particularly with respect to your investment advisor, OCIO, or other service provider relationships, we’ve outlined key considerations and steps that can be taken to mitigate exposure to costly events and potential retirement plan penalties.
1. Review the Department of Labor’s Guidance on Cyber Security Best Practices
In 2021, the Department of Labor (DOL) issued cyber security guidance for plan sponsors and fiduciaries, including tips for hiring and monitoring third-party providers, as well as best practices and online security tips to keep your organization safe.
We suggest reviewing the DOL’s guidance, which was issued in three parts, including:
- Tips for hiring a service provider with strong cyber security practices, including best practices for business owners and fiduciaries to meet their responsibilities under ERISA to prudently select and monitor service providers.
- Cyber security program best practices, including how to manage online risks.
- Online security tips, including basic rules that will help reduce the risk of fraud or loss.
 2. Evaluate How Your Investment Consultant or OCIO Manages/Mitigates Their Cyber Risk
As most plans use third-party service providers including investment consultants and OCIOs, it’s crucial to understand how these providers are performing the necessary cyber security protocols to keep your organization and plan participants safe.
At North Pier, we specialize in helping clients assess the capability of service providers in a wide variety of ways, including cyber security. Based on our experience, we believe a thorough evaluation of your investment consultant or OCIO is recommended to ensure cyber security protocols are robust and efficient. There are a variety of questions to ask your provider, which can be performed through a request for information (RFI) or request for proposal (RFP) process. These questions should include:
- Describe how your or your client’s data is secured at all times.
- Is all of your or your client’s data kept in the USA?
- Do you have a comprehensive cyber security program and policies?
- Describe your cyber security internal training and education programs. Do you have an annual independent assessment made of your cybersecurity processes? (i.e., SOC2 report).
- Is cyber security planning, updating, and monitoring handled in-house or outsourced?
If it’s time for your organization to evaluate your service provider, learn more about the RFP process here.
3. Assess How Your Investment Consultant or OCIO Evaluates the Cyber Risk of the Organizations They Invest With
You want to ensure that your investment consultant or OCIO is as equally committed to understanding the risk of organizations they’re investing with (and who are also touching your data) as much as they are committed to understanding their own risk.
If your service provider is hiring investment managers on behalf of your plan or investment program, they must perform similar due diligence on these organizations with as much rigor and strength as they do internally.
To understand how your provider is assessing the organizations they work with, ask if they have explicit cyber security policies and requirements for their service providers and investment managers. Apply the same questions one would ask internally to ensure providers are asking detailed enough questions for themselves and third parties.
4. Look Out for Red Flags
The way your investment consultant or OCIO answers questions on cyber security is critical to how they operate. To identify good answers versus bad answers that lead to red flags, watch our recent cyber security webinar, available on demand by registering here.