Roberts’ checklist for retirement plan advisors is as follows:
• Confirm status of employer cybersecurity insurance coverage, including whether they have it, what it covers, or more importantly, does not cover, as well as any fiduciary liability coverage;
• Perform periodic reviews of providers’ cybersecurity policies and procedures and related cybersecurity program documentation to determine alignment with industry and security best practices and frameworks, and document and retain any pertinent results and recommendations as a result of the reviews;
• Request and review plan providers’ documentation related to recent external security audits performed by independent auditors or third-parties;
• Confirm content, frequency and recipients of plan providers’ cybersecurity awareness communication training;
• Inquire of plan providers regarding any past cybersecurity incidents and the related resolution and corrective actions;
• Understand the differences between the providers’ cybersecurity and fraud protection policies;
• Confirm whether providers’ service agreements contain any indemnification language that might apply to cybersecurity and/or fraud protection policies;
• Confirm with providers the number of participants who have never logged into the participant website and consider communicating cybersecurity risk to those participants;
• Confirm with record-keeper what communication is sent to participants related to cybersecurity, including the method and frequency of communication;
• Periodically communicate and educate employees directly on importance of security best practices;
• Follow up with providers periodically related to cybersecurity policies and procedures;
• Document all cybersecurity actions taken and decisions made