Plan Sponsors Should Act Now on DOL Guidance

On April 14, 2021, the Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor (DOL) announced its first-ever guidance on cybersecurity directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974 (ERISA) and at plan participants and beneficiaries. The DOL has already begun its audit initiative focusing on retirement plan cybersecurity practices. The information and document requests under this new initiative are characterized as probing, indicating serious inquiry by the DOL.

What You Should Know

  • Evaluating cybersecurity practices is identified as part of a plan fiduciary’s duty to prudently select and monitor plan service providers.
  • Plan sponsors and fiduciaries should act now to enhance their to enhance their internal cybersecurity practices for their benefit plans, confirm the practices of plan service providers, and educate ERISA plan participants about the importance of strong individual cybersecurity practices.
  • The speed and intensity with which the DOL has begun its audits underscores the urgency with which plan fiduciaries and service providers should review the DOL’s recent guidance for retirement plan cybersecurity practices to determine if their cybersecurity practices and policies are sufficient:
    • Tips for Hiring a Service Provider with Strong Cybersecurity Practices[1] helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
    • Cybersecurity Program Best Practices[2] assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.
    • Online Security Tips[3] offers plan participants and beneficiaries basic rules to help reduce the risk of fraud and loss.
  • DOL audit requests have been surprising in depth and breadth, according to law firm Morgan, Lewis & Bockius (“DOL Begins Its Cybersecurity Audit Initiative –And It’s a Doozy")[4]. Plan fiduciaries have been asked to produce all cybersecurity and information security program policies, procedures, and guidelines that relate to the plan as well as detailed documentation evidencing specific actions taken by the plan’s fiduciaries and vendors.

Let's Talk

Our solutions can be tailored to meet your unique needs.

Contact Us »