Cybersecurity Inside and Out

Businesses may feel like regulators are waiting for the moment they perfect their newest, shiniest version of their security system to drop a new regulation or requirement on them. Individuals may feel a constant sense of never having finished the newest compliance training on protecting passwords.

Cybersecurity continues to be a growing concern for people and businesses alike. Businesses may feel like regulators are waiting for the moment they perfect their newest, shiniest version of their security system to drop a new regulation or requirement on them. Individuals may feel a constant sense of never having finished the newest compliance training on protecting passwords. However, these continuing refinements are necessary after a significant change to how we work. According to a new report from Harvard Business Review, changes in where we work (from home, or from the office, or both) can be costly when that involves how we work. “[D]ata breaches arising from insider threats and simple mishaps can cost businesses an average of $7.5 million annually.”[1] In an new article, Bret Arsenault shares insight into increasing cybersecurity. Those tips include prioritizing employee trust and privacy, collaborating in cross function actions; empowering employees as the best and last lines of defense; and optimizing machine-learning or data visualization to help reduce the burden on staff.

A few of his recommendations include: Using role-based access for insider risk management tools also helps ensure that the right person is reviewing compliance alerts, keeping unwarranted suspicion from creeping into the organization. He also suggests creating plans for shared information to help address changes in laws, training or funding. These kinds of advanced agreements about the details involved in responding to internal cyber issues can save departmental time. “If you have a high number of false positives, you risk burdening your HR and legal teams with unnecessary and expensive investigations.” He also suggests drawing parallels between personal data protection and company data protection to help boost the sense of importance in internal data protection. Finally, Arsenault recommends away from strict controls that reduce productivity towards risk management tools that spot trends and detect risky behavior.

This new article may help provide food for thought for sponsors concerned about ensuring that they meet cybersecurity guidelines from regulatory agencies such as the DOL. While the DOL has tips for employers hiring service providers who can meet strong security practices,[2] thinking about how to address internal data breaches may also be of use. Since these are tips for clients hiring advisors, you may want to augment the DOL’s tips with those noted above. That might be as simple reviewing the DOL’s list. It might also involve combining DOL tips like asking about independent yearly audits of their systems with the need for cross-functional information. That might look like asking how the audit handles cross functional information, or whether it tests cyber training for employees.

The EBSA also has its own guidance on internal cybersecurity best practices for recordkeepers and service providers for plans.[3] Those best practices, if already in use at your company, could be enhanced by these internal risk mitigation tips. For example, the EBSA recommends that a vendor “clearly define and assign information security roles and responsibilities.” This may be an opportunity to review how different departments overlap in roles and responsibilities and create the plan for shared information suggested by Arsenault.  EBSA also recommends that vendors “Conduct periodic cybersecurity awareness training.” Advisors may want to review their training with an eye towards bringing the personal data examples into the training to enhance the sense of importance.


[1] https://hbr.org/2023/03/your-biggest-cybersecurity-risks-could-be-inside-your-organization

[2] https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/tips-for-hiring-a-service-provider-with-strong-security-practices.pdf

[3] https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf

These articles are prepared for general purposes and are not intended to provide advice or encourage specific behavior. Before taking any action, Advisors and Plan Sponsors should consult with their compliance, finance and legal teams.

Back to Blog

Latest Entries

Need a Proposal?

Before leaping into the unknown, we recommend a thorough examination of your plan. Because we are experts in the field, we know the marketplace and know what your existing vendor is capable of offering.  Through this examination, we can help you optimize the service you receive.

get xpress proposal