The guidance has 12 recommendations. A summary of each follows:
No. 1: Establish a Formal Cybersecurity Program. This includes developing and maintaining a program that identifies and assesses internal and external cybersecurity risks.
No. 2: Conduct Annual Risk Assessments. Plan sponsors should regularly evaluate potential threats to their IT infrastructure.
No 3: Third-Party Audits: Independent auditors should assess a plan sponsors security posture. This can help identify any vulnerabilities and weaknesses from an unbiased perspective.
No. 4: Clearly Define and Assign Information Security Roles and Responsibilities. It is important for plan sponsors to define roles and duties within the organization to effectively manage the cybersecurity program.
No. 5: Implement Strong Access Controls. Plan sponsors should use multifactor authentication and limit personnel access to sensitive data and systems.
No. 6: Use Cloud or Managed Service Providers. This includes ensuring that all third-party service providers undergo security assessments to ensure that plan participants’ sensitive data is adequately protected.
No. 7: Provide Cybersecurity Awareness Training. It is…
