The Employee Benefits Security Administration prepared a list of best practices for 401(k) Plan recordkeepers and service providers. These practices include:
- Having a documented cybersecurity program;
- Conducting annual risk assessments;
- Auditing security controls;
- Defining and assigning information security roles and responsibilities;
- Having strong access control procedures;
- Ensuring data stored in a cloud are subject to security reviews and independent security assessments;
- Conducting periodic cybersecurity awareness training;
- Implementing and managing a secure system development life cycle program;
- Having an effective business resiliency program addressing business continuity, disaster recovery, and incident response;
- Encrypting sensitive data stored and in transit;
- Implementing strong technical controls
- Appropriately responding to any past cybersecurity incidents.
