DOL Increasingly More Focused on Retirement Plan Cybersecurity
By Louis F. LiBrandi, Principal, Jordan Mentry, Manager and Timothy J. Desmond, Partner
In the May 2021 Employee Benefit Plans Alert headlined Cybersecurity Guidance for Retirement Plans, the specialists in our Employee Benefit Plans Group discussed the recently-released guidance from the Department of Labor (DOL) Employee Benefits Security Administration (EBSA) regarding the importance of adopting comprehensive cybersecurity best practices. The DOL guidance emphasizes the importance of strengthening cybersecurity for retirement plans and reflects the DOL’s view that ERISA plan fiduciaries have an obligation to protect plan assets from cyber threats. Links to the three DOL publications are:
Since the DOL released this information, there have been a few developments in this area. One noteworthy item is that the EBSA investigators started asking plan sponsors cybersecurity-related questions and requesting documents relative to cybersecurity policies and procedures in their retirement plan investigations. The requests have included documentation and communications from service providers to the plan relating to their cybersecurity capabilities and procedures.
Other examples of materials requested during an investigation include:
- All documents and communications from service providers regarding policies and procedures for collecting, storing, archiving, deleting, anonymizing, warehousing, and sharing data;
- All documents and communications describing the permitted uses of data by the sponsor of the plan or by any service providers of the plan, including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services;
- All documents describing security technical controls, including firewalls, antivirus software, and data backup;
- All documents and communications describing security reviews and independent security and any past cybersecurity incidents;
- Assessments of the assets or data of the plan stored in a cloud or managed by service providers;
- All documents describing security technical controls, including firewalls, antivirus software and data backup.
The DOL’s Objective
Based on the above, it is clear the DOL would like to see how plan fiduciaries are communicating with their service providers to assess provider cybersecurity risk, as well as the documents and other materials from service providers concerning the processing of plan data and how the data is used.
With cyberattacks becoming more frequent, and over $9 trillion dollars of retirement plan assets, the DOL believes cybersecurity should be a primary concern for plan sponsors, and that it is critical that they take the responsibility for keeping plan and participant information safe.
The specialists of the Employee Benefit Plans Group at PKF O’Connor Davies are available to assist employers with all aspects of employee benefit plan compliance. Pease contact your PKF O’Connor Davies engagement partner or any of the following:
Timothy J. Desmond, CPA
Director of Employee Benefit Services
firstname.lastname@example.org | 551.249.1728
Louis F. LiBrandi, EA, CEBS, ChFC, TGPC
Employee Benefit Services Group
email@example.com | 646.449.6327
Jordan Mentry, MST
Employee Benefit Services Group
firstname.lastname@example.org | 646.965.7797