Institutional Asset Management Solutions
On April 14, 2021, the Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor (DOL) announced its first-ever guidance on cybersecurity directed at plan sponsors and fiduciaries regulated by ERISA (the Employee Retirement Income Security Act of 1974), and at plan participants and beneficiaries.
The DOL has already begun its audit initiative focusing on retirement plan cybersecurity practices. At PNC Institutional Asset Management® (PNC IAM), we recognize the obligation of our retirement plan clients to monitor the cybersecurity practices of service providers to the plan. We are proud of the measures PNC has taken and the ongoing enhancements we deliver each year to help protect our clients’ data and assets.
View Additional Resources for Retirement Plan Sponsors
The EBSA prepared a list of best practices for use by recordkeepers and other service providers responsible for plan related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire. According to the EBSA, plan service providers should do each of the things listed on the left, below. On the right, you’ll see what PNC is doing to adhere to these practices. We provide this overview so that as a plan fiduciary, you can be confident that PNC IAM is in alignment with the DOL’s best practices.
EBSA United States DOL
|
PNC Practices |
---|---|
Have a formal, well documented cybersecurity program. |
As a regulated financial institution, PNC maintains a comprehensive cybersecurity program aligned to industry best practices. Please see attached Security Overview document and visit the Security and Privacy Center for additional pertinent information. |
Conduct prudent annual risk assessments. |
Risk assessments are performed at least annually and when there are any significant changes to controls or technology. |
Have a reliable annual third-party audit of security controls. |
Service Organization Controls (SOC) reporting may be provided to our clients subject to the establishment of the appropriate confidentiality protections. |
Clearly define and assign information security roles and responsibilities. |
PNC has a dedicated cybersecurity team of highly skilled information security experts in defined roles within the organization. |
Have strong access control procedures. |
Access Management is PNC’s program for governing access to information systems and technology and tailoring such access and misuse of data are in place. PNC’s Access Management Program is designed to provide integrity, privacy, and consistency of financial, business, and customer information through data ownership, appropriate access, and governance. |
Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments. |
The Third-Party Assurance (TPA) team within Security is responsible and accountable for evaluating the security of PNC’s Third-Party service providers. The TPA Team is comprised of Information Risk professionals following control frameworks built upon industry standard assessment methodologies. The Team is organized to review domestic and global suppliers to identify and mitigate risk, protecting PNC customer and employee information assets. The Third-Party Assessment program aligns with regulatory guidance. |
Conduct periodic cybersecurity awareness training. |
PNC requires cybersecurity awareness and privacy training for all employees and contractors at hire and annually thereafter. Additionally, phishing exercises are executed throughout the year and there is an annual “spotlight month” of cybersecurity awareness which provides additional cybersecurity insights to PNC employees. |
Implement and manage a secure system development life cycle (SDLC) program. |
The PNC Secure SDLC program is aligned to industry best practices and injects security and risk management within all aspects and phase gates of the systems development life cycle. |
Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response. |
The PNC Business Continuity Management Program is based on a defined methodology that is aligned to industry best practices and the Federal Financial Institutions Examination Council (FFIEC) Guidelines. The program methodology has four embedded components:
|
Encrypt sensitive data, stored and in transit. |
Industry standard encryption tools are used to protect confidential data during transmission and at rest, where deemed necessary to meet PNC risk management objectives. |
Implement strong technical controls in accordance with best security practices. |
As a regulated financial institution, PNC is aligned to National Institute of Standards and Technology (NIST) Special Publication (SP) 800 series, put forth by the United States Department of Commerce. This is an ever-growing set of computer security documents as part of Federal Information Security Management Act of 2002 (FISMA) compliance. |
Appropriately respond to any past cybersecurity incidents. |
PNC monitors our systems and utilizes sophisticated layers of technology to protect the PNC network, customer accounts, and personal information. PNC's Security team actively monitors various external information channels about active threats, attacks, and vulnerabilities being reported or exploited. Depending on the information, our security intelligence, incident response, operations, and vulnerability management teams evaluate the reporting and assess impact and response for PNC. |
Below is an overview of PNC’s Information Security, Data Protection, and Business Resiliency policies. These policies are reviewed regularly for alignment with regulatory guidance with a high level of focus on security, privacy, and resiliency for our clients.
For additional questions about PNC’s cybersecurity practices, please reach out to your PNC representative.
As of 10/30/2021
The PNC Financial Services Group, Inc. (“PNC”) uses the marketing name PNC Institutional Asset Management® for the various discretionary and non-discretionary institutional investment, trustee, custody, consulting, and related services provided by PNC Bank, National Association (“PNC Bank”), which is a Member FDIC, and investment management activities conducted by PNC Capital Advisors, LLC, an SEC-registered investment adviser and wholly-owned subsidiary of PNC Bank. PNC does not provide legal, tax, or accounting advice unless, with respect to tax advice, PNC Bank has entered into a written tax services agreement. PNC Bank is not registered as a municipal advisor under the Dodd-Frank Wall Street Reform and Consumer Protection Act.
“PNC Institutional Asset Management” is a registered mark of The PNC Financial Services Group, Inc.
Investments: Not FDIC Insured. No Bank Guarantee. May Lose Value.
Read a summary of privacy rights for California residents which outlines the types of information we collect, and how and why we use that information.