Vestwell Data Security and Compliance with Cybersecurity Guidelines for Recordkeepers


Retirement plans experienced an unprecedented increase in cyberattacks last year. In April 2021, the Department of Labor (DOL) announced guidelines for recordkeepers and other service providers that should be a key part of the plan sponsor’s vetting process.
Plan Sponsors must hire service providers that will protect their participants’ assets, and they could be liable for damages if their service provider is missing these important practices and protocols. At Vestwell, we have been practicing and exceeding the DOL’s standards since our inception. Here’s how:

The DOL states that all service providers should...

  • Have a formal, well-documented cybersecurity program. 
    • Our platform was designed with security in mind since day one, and we have always had a comprehensive security program. Our security policies are examined and given an unqualified* opinion by an independent auditor each year. 
  • Conduct prudent annual risk assessments.
    • We conduct an internal and external assessment of our security vulnerabilities every day. 
  • Have a reliable annual third-party audit of security controls.
    • Vestwell has been conducting an independent third-party review of our controls for years. 
  • Clearly define and assign information security roles and responsibilities.
    • Our security protocols are led by our Chief Information Security Officer, Chief Technology Officer, and Chief Privacy Officer, who bring decades of collective privacy and security experience to Vestwell. Our Security Team conducts routine disaster recovery and incident response exercises throughout the year. 
  • Have strong access control procedures.
    • Vestwell has always operated on the principle of “Least Access Privilege,” meaning that our employees only have access to systems and information that they need in order to perform their job responsibilities. Our network access controls are validated each quarter. 
  • Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
    • All data on our platform is stored at data centers hosted by Amazon Web Services, whose security controls are also audited, with results available to the public. You can find more information here. 
  • Conduct periodic cybersecurity awareness training.
    • All of our employees undergo security training upon hire each year. Additionally, all employees must complete a rigorous background screening prior to employment and every three years thereafter. That additional security check exceeds industry standards. 
  • Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
    • Vestwell has always operated in a partly remote environment, so the transition to a fully remote environment during the pandemic was a seamless transition without any interruption to our clients or plan participants. 

  • Encrypt sensitive data, both stored and in transit.

    • All data on our platform is encrypted in transit and at rest. 

  • Implement strong technical controls in accordance with best security practices.

    • We don’t just rely on manual intervention and detection. Our platform is monitored throughout the day by automated solutions that scan our network for vulnerabilities. 

  • Appropriately respond to any past cybersecurity incidents.

    • We are proud to report that Vestwell has never had a reportable data breach.

* The term "Unqualified" is used by auditors when there are no findings of errors and no reasons why the auditor would create any caveats or similar exceptions to how its report can be used. The word "unqualified opinion" is the best outcome any company can get in a SOC audit.