As we previously reported, the US Department of Labor (DOL) issued cybersecurity guidance for retirement plan sponsors, plan fiduciaries, recordkeepers and plan participants regulated by the Employee Retirement Income Security Act (ERISA) which addresses best practices for maintaining cybersecurity which includes:
Next Steps for Employers
At the time the guidance was issued there was speculation that the DOL may begin audit initiatives of employers’ cybersecurity practices, and it can now be confirmed the DOL has been moving quickly to audit cybersecurity practices. The Agency has begun issuing information and document requests under this new initiative, and the requests are probing and indicate serious inquiry by the DOL. As a result, plan fiduciaries and service providers should consider acting on the DOL’s recent guidance. Plan fiduciaries that fail to act promptly on this guidance risk being surprised by the comprehensive nature of the cybersecurity audit requests being issued by the DOL.
Employers who become the subject of such an audit should reach out to their labor attorney, in consultation with the plan sponsor and plan service providers to obtain all documents in the DOL’s request.