DOL Commences Cybersecurity Audits

Plan Sponsors Should Act Now on DOL Guidance

On April 14, 2021, the Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor (DOL) announced its first-ever guidance on cybersecurity directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974 (ERISA) and at plan participants and beneficiaries. The DOL has already begun its audit initiative focusing on retirement plan cybersecurity practices. The information and document requests under this new initiative are characterized as probing, indicating serious inquiry by the DOL.

What You Should Know

Evaluating cybersecurity practices is identified as part of a plan fiduciary’s duty to prudently select and monitor plan service providers.
Plan sponsors and fiduciaries should act now to enhance their to enhance their internal cybersecurity practices for their benefit plans, confirm the practices of plan service providers, and educate ERISA plan participants about the importance of strong individual cybersecurity practices.
The speed and intensity with which the DOL has begun its audits underscores the urgency with which plan fiduciaries and service providers should review the DOL’s recent guidance for retirement plan cybersecurity practices to determine if their cybersecurity practices and policies are sufficient:
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices^[1] helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
- Cybersecurity Program Best Practices^[2] assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.
- Online Security Tips^[3] offers plan participants and beneficiaries basic rules to help reduce the risk of fraud and loss.
DOL audit requests have been surprising in depth and breadth, according to law firm Morgan, Lewis & Bockius (“DOL Begins Its Cybersecurity Audit Initiative –And It’s a Doozy")^[4]. Plan fiduciaries have been asked to produce all cybersecurity and information security program policies, procedures, and guidelines that relate to the plan as well as detailed documentation evidencing specific actions taken by the plan’s fiduciaries and vendors.

Let's Talk

Our solutions can be tailored to meet your unique needs.

Contact Us »

Schedule an appointment

SCHEDULE NOW

Find a branch near you

FIND NOW

Important Legal Disclosures and Information

1. https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/tips-for-hiring-a-service-provider-with-strong-security-practices.pdfhttps://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf
2. https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf
3. https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/online-security-tips.pdf
4. https://www.morganlewis.com/blogs/mlbenebits/2021/06/dol-begins-its-cybersecurity-audit-initiative-and-its-a-doozy

The material presented herein is of a general nature and does not constitute the provision by PNC of investment, legal, tax, or accounting advice to any person, or a recommendation to buy or sell any security or adopt any investment strategy. Opinions expressed herein are subject to change without notice. The information was obtained from sources deemed reliable. Such information is not guaranteed as to its accuracy.

The PNC Financial Services Group, Inc. (“PNC”) uses the marketing name PNC Institutional Asset Management® for the various discretionary and non-discretionary institutional investment, trustee, custody, consulting, and related services provided by PNC Bank, National Association (“PNC Bank”), which is a Member FDIC, and investment management activities conducted by PNC Capital Advisors, LLC, an SEC-registered investment adviser and wholly-owned subsidiary of PNC Bank. PNC does not provide legal, tax, or accounting advice unless, with respect to tax advice, PNC Bank has entered into a written tax services agreement. PNC Bank is not registered as a municipal advisor under the Dodd-Frank Wall Street Reform and Consumer Protection Act.

“PNC Institutional Asset Management” is a service mark of The PNC Financial Services Group, Inc.

Investments: Not FDIC Insured. No Bank Guarantee. May Lose Value.

PNC General Disclosure https://www.pnc.com/en/corporate-and-institutional/pnc-general-disclosure.html