Does your service provider have a Chief Information Security Officer or equivalent position?

Does the company have a privacy and security policy, and does the policy apply to personally identifiable information of retirement plan clients?

What are the service providers processes and systems for dealing with cyber security?

The article has more questions to ask:

http://napa-net.org/news/managing-a-practice/service-providers/cyber-threats-what-fiduciaries-should-know/