COLLECTED WISDOM™ on Cybersecurity Risks and Liabilities
This is a collection of articles, papers, and commentaries on cybersecurity risks and liabilities for employers, retirement plan sponsors and fiduciaries.
This archive contains not only the most current material on the topic, but also older items that are still relevant, provide background, perspective or are germane to the topic.
If you find a broken link or an items that you feel is outdate, irrelevant or no longer appropriate, please let us know.
Fiduciaries at large, sophisticated plans tend to understand their responsibility and have resources and staff to regularly assess contractors' fraud and data controls. But smaller firms can be left in the dark. As recordkeepers continue to make cyber improvements, they may play an outsized role in helping their smaller clients keep up. One of the things they need to be doing is helping raise awareness to plan fiduciaries that they have this responsibility.
Source: Groom.com, October 2021
Nearly one-third (31%) of retirement plan recordkeepers expect to increase their cybersecurity staff, according to a Cerulli report. Industry stakeholders suggest the threat of retirement account fraud has increased in recent years, particularly during the remote work environment, Cerulli Associates says. And, even though the majority of recordkeepers act in a non-fiduciary capacity, Cerulli points out that courts have suggested that cybersecurity is a shared responsibility.
Source: Planadviser.com, October 2021
In response to an increased threat of retirement account fraud, nearly a third of recordkeepers expect to boost their cybersecurity staff going forward, a new report from Cerulli finds. Even though plan providers have always been subject to cyberattacks, this is an issue that has become more acute in recent years, particularly during the remote work environment when many employees are working on less secure home networks and personal devices during the pandemic.
Source: Napa-net.org, September 2021
The DOL's "Cybersecurity Document Requests" reveal the DOL has been asking for quite an extensive list of documentation. Moreover, the DOL has noted that plan administrators should be aware that they may need to consult not only with the sponsor of the plan, but with the service providers of the plan to obtain all the documents requested, and if they are unable to produce the requested documents the plan administrator must specify the reasons why the documents are unavailable.
Source: Retirementlc.com, September 2021
The DOL had begun asking cybersecurity questions on some plan audits in 2020 but recently began using a more comprehensive document request in plan audits. The DOL's cybersecurity document request to plan sponsors is broadly stated: "all documents relating to any cybersecurity or information security programs that apply to the data of the plan, whether these programs are applied by the sponsor of the plan or by any service provider to the plan."
Source: Wagnerlawgroup.com, September 2021
Benefit plan sponsors and plan fiduciaries should take note and act quickly. The Department of Labor has issued a new cybersecurity guidance package with far-reaching effects and has already begun including this in its enforcement efforts.
Source: Poynerspruill.com, September 2021
In today's world, most transactions involving retirement plans are conducted electronically, including maintaining and sharing data across multiple platforms. Data and personally identifiable information have become increasingly vulnerable to attack as the information travels across employer and third-party systems. Plan fiduciaries must develop best practices related to cybersecurity. This requires thought and insight and depends on the facts and circumstances. This 12-page paper is an in-depth review of the issue.
Source: Mintz.com, August 2021
Principals with Groom Law Group discuss steps retirement plan sponsors can take to avoid or be prepared for a DOL cybersecurity audit.
Source: Plansponsor.com, August 2021
The DOL issued cybersecurity guidance to plan fiduciaries and participants in the form of three separate documents. The first two documents included what amounted to checklists of provisions that plan sponsors should look for in their contracts with service providers such as third-party administrators, trustees, custodians, investment managers, and the like. The third document was directed more toward individuals. This article reviews steps a prudent fiduciary should consider.
Source: Quarles.com, August 2021
Coverage is now harder to get, and it costs more, largely due to the higher volume of attacks that resulted in higher loss ratios for insurers.
Source: Investmentnews.com (registration may be required), August 2021
The DOL recently released its first-ever guidance on cybersecurity for retirement plans. Just a few months after issuing this guidance, reports are coming in that the DOL has issued information and document requests to plan sponsors that are "probing and indicate serious inquiry by the DOL." These requests are asking for all cybersecurity and information security program policies, procedures, and guidelines that relate to retirement plans, whether applied by the plan sponsor or by a provider, as well as detailed documentation of specific actions taken by the plan's fiduciaries and providers, including many that the DOL addressed in its guidance.
Source: Hallbenefitslaw.com, August 2021
ERISA-covered plans have entered the digital world. As the amount of confidential information about plan participants that is stored in multiple information systems, and shared among plan service providers, increases, so, too, do the legal risks. The DOL has now made cybersecurity risk an enforcement priority; the courts have started to wrestle with whether participant data is a "plan asset." Plan sponsors and service providers should brace themselves.
Source: Stradley.com, August 2021
Another retirement plan cyber theft scheme has come to light and the perpetrators sentenced. This particular intrusion involved the Texas Employees Retirement System and the machinations of Olumide Bankole Morakinyo, 38, a Nigerian national residing in Canada, and Lukman Shina Aminu, a resident of New Hampshire, who created unauthorized accounts for participants in the Employees Retirement System of Texas internet portal.
Source: Napa-net.org, August 2021
Cybersecurity is a major concern in the context of employer-sponsored benefit plans because plan participants' financial and personally identifiable information is maintained and shared with multiple parties. To help you assess and mitigate your organization's risk related to safeguarding this information, this article explores some important action steps.
Source: Ajg.com, July 2021
The DOL wants everyone to be attentive to cybersecurity protocols as a fiduciary responsibility, but there's a higher expectation for those "running the systems" according to Tim Hauser, Deputy Assistant Secretary for National Office Operations at the Department of Labor's Employee Benefits Security Administration.
Source: Napa-net.org, July 2021
DOL Provides Cybersecurity Guidance: Meeting Fiduciary Duty, and Avoiding Incorrect Advice to Plan Sponsors
Plan sponsors and fiduciaries have traditionally relied on advisers -- from attorneys to accountants to investment consultants -- to help guide decisions for their retirement plans. For decades, a cornerstone of this assistance has been making recommendations about retirement plan investment portfolios. With the rise of cyberattacks on financial institutions, many plan sponsors and their advisers have started to focus more time and resources on the security of their plan data, including the participant information held by service providers. The DOL also recognized the vulnerability of plans to cyberthreats and recently published three important documents.
Source: Georgetown.edu, July 2021
The focus on cybersecurity implies that the DOL will start to hold plans and their fiduciaries accountable for cybersecurity. Besides the specter of a DOL enforcement action, this guidance should remind plan sponsors that if a cybersecurity breach ever impacts their plan, they need to be prepared. Class action lawsuits that argue that they chose the wrong service provider or that PII was misused or not protected are possible.
Source: Enterpriseiron.com, July 2021
DOL Plan Audits Updated to Include Several Questions About Compliance With Its Cybersecurity Guidelines
The DOL updated its audit inquiries to include probing questions for plan fiduciaries about their compliance with agency cybersecurity guidelines. So, what do those inquiries look like? In short, the DOL is asking plan sponsors to produce: "all documents relating to any cybersecurity or information security programs that apply to the data of the Plan, whether those programs are applied by the sponsor of the Plan or by any service provider of the Plan."
Source: Benefitslawadvisor.com, July 2021
While all businesses have been grappling with cybersecurity challenges for years, cybersecurity has recently come into focus for retirement plans, health and welfare plans, and other ERISA plans due to a new DOL cybersecurity initiative. The DOL has quickly followed up on this guidance by incorporating privacy and cybersecurity requests into its audits of employee benefit plans. This article outlines considerations for plan fiduciaries, including employers and investment or administrative committees, to document that they have followed a prudent process to protect the plan from losses from cybersecurity events and to protect the personal data of participants and beneficiaries.
Source: Kilpatricktownsend.com, July 2021
In light of recent reports of an increase in cybersecurity inquiries by the DOL, retirement plan administrators should accelerate their preparedness strategies for avoiding and addressing cybersecurity attacks against retirement plans. Media outlets are reporting that the DOL has begun asking plan sponsors questions related to cybersecurity policies and procedures.
Source: Debevoise.com, July 2021
Retirement account theft is one of the risks cropping up in the employee benefits community. If you are a plan sponsor or a plan fiduciary, it's important to make sure you've thought about how to address this risk that is now well above the horizon. As an ERISA fiduciary, you play a key role in helping your participants guard against the theft of their accounts at the hand of cybercriminals. Take the steps noted above and stay abreast of developments in this rapidly evolving area.
Source: Plansponsor.com, July 2021
The article discusses how regulators have shifted their focus from data breach notifications to overall cybersecurity preparedness. Authors highlight that where regulators previously focused on how companies responded to cyberattacks, they are now focusing more on whether and to what extent victimized businesses were adequately prepared to defend against attacks. They add that if the policies, procedures, and defenses businesses had in place were inadequate, regulators are increasingly pursuing enforcement actions, even in situations where a data breach did not occur or where individual consumers' personal identifying information was not improperly accessed or acquired.
Source: Faegredrinker.com, June 2021
In light of a new DOL audit initiative and increasing cybersecurity threats to ERISA benefit plans, ERISA plan sponsors and fiduciaries should be prepared to answer some important questions: Do the cybersecurity programs of you and your service providers comply with DOL guidance? Do your contracts with service providers include appropriate data protection provisions? Are you and your service providers doing enough to protect your employees and ERISA plan participants?
Source: Pillsburylaw.com, June 2021
The Department of Labor is moving quickly to audit cybersecurity protocols. Businesses that have not yet addressed their cybersecurity practices and compliance plans must do so immediately. Example DOL audit questions provided.
Source: Nixonpeabody.com, June 2021
Companies that sponsor 401k plans have a fiduciary obligation to protect the individual retirement accounts of their employees from cyber theft. Currently, there are approximately 106 million defined contribution plans in the United States, which hold almost $6.3 trillion in employee retirement savings. Unfortunately, over the last couple of years, cyber theft has become an increasing risk for companies that sponsor 401k plans.
Source: Masudafunai.com, June 2021
With participant assets and retirement security on the line, cybersecurity weighs heavily on many retirement plan sponsors' minds. While the recently issued cybersecurity guidance from the DOL provides a roadmap to help prevent cyber threats, the heightened emphasis indicates that cybersecurity will likely remain a DOL focus for years to come. This webinar recording discusses DOL cybersecurity guidance and its impact on plan sponsors, effective approaches to evaluate and monitor plan providers, and the future of information security in the retirement plan space.
Source: Captrust.com, June 2021
Plan fiduciaries and their service providers likely have heard about the DOL's cybersecurity guidance. The Department of Labor's stepping into cybersecurity in this way has left plan fiduciaries with some questions. So, what are plan fiduciaries thinking? Here are snippets of conversations between plan fiduciaries that may provide some insight into that question.
Source: Benefitslawadvisor.com, June 2021
The DOL has begun issuing information and document requests under their new cybersecurity practices initiative, and the requests are probing and indicate serious inquiry by the DOL. News of the DOL beginning this audit program should not come as a surprise. However, it is fair to say that both the pace with which the DOL has begun its audits and the depth and breadth of the initial round of requests is surprising.
Source: Morganlewis.com, June 2021
This first cybersecurity guidance from the EBSA signals its expectations around cybersecurity. Of note is the focus made on vetting and onboarding service providers. These cautions are particularly helpful when considering vendors who have automated protection processes and/or intimate knowledge of their client's IT systems. Plan sponsors and other fiduciaries with existing cybersecurity programs will want to compare their controls and vendor management programs to these three newly issued guidance.
Source: Eyeonprivacy.com, June 2021
The digital world has opened many doors, including some to theft and the abuse of information. When it comes to retirement plans and participant assets, cybersecurity has emerged as a significant area of focus. Read this to find out how plan sponsors can protect themselves and their participants while meeting fiduciary obligations.
Source: Captrust.com, June 2021
Is the personally identifiable information shared with your retirement plan service providers safe? Many providers farm or harvest this data amongst their affiliates or others to market and solicit additional products or services. This gives the appearance that you, as the plan sponsor, endorse these additional products or services. Find out why allowing these practices may put you at risk of accusations of breaching fiduciary duties and what steps you can take to proactively protect yourself and your participants.
Source: Francisinvco.com, May 2021
The US District Court for the Northern District of Illinois handed down a decision in Bartnett v. Abbott Laboratories, dismissing the plaintiff's claims against defendant sponsor fiduciaries in a case involving the theft of $245,000 in the plaintiff's Abbott retirement plan account. Particularly interesting for plan sponsors is the court's discussion of the sponsor fiduciary's standard of care concerning a plan provider's cybersecurity.
Source: Octoberthree.com, May 2021
There's not much new information in the DOL guidance from what had already been suggested by experts; it has issued common-sense best practices that reflect the state of the industry. What is new is that the DOL has laid out thoroughly what it would expect plan fiduciaries to be looking for. "The DOL is saying, 'This is a fiduciary issue, and here's a road map.'"
Source: Plansponsor.com, May 2021
The DOL's new guidance formalized its long-held view that retirement plan fiduciaries must ensure proper mitigation of cybersecurity risks. More specifically, the DOL expects retirement plan fiduciaries to select and monitor the cybersecurity practices of their service providers. Ten key takeaways and next steps.
Source: Employeebenefitsblog.com, May 2021
A Secure System Development Life Cycle Program (SDLC) process ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the system development effort. The DOL has enumerated best practices in this regard which are outlined here.
Source: Asppa.org, May 2021
Many general business practices that are the essence of sound governance and responsible business practice also are applicable in establishing strong security policies, procedures, guidelines, and standards. The DOL suggests considering several practices outlined here.
Source: Napa-net.org, May 2021
Retirement plans are increasingly subject to cybersecurity issues, and the DOL is taking notice. Also, litigation arising under ERISA involving cybersecurity threats has highlighted a plan administrator's duty to prudently select and monitor service providers. The DOL's best practices guidance includes many specific action points. Several of their recommendations are highlighted here.
Source: Ogletree.com, May 2021
Newly released documents offer plan sponsors, plan fiduciaries, recordkeepers, and plan participants direction for avoiding cyber theft. What you should know.
Source: Pnc.com, May 2021
Given that the majority of plan sponsors and fiduciaries likely already have existing service providers that aid in the administration of their benefit plans, plan sponsors and fiduciaries may consider amending the applicable service agreement to include some or all of the provisions recommended here to the extent there is not sufficient contractual protection under the existing agreement.
Source: Frostbrowntodd.com, May 2021
Because retirement plans hold a significant amount of money and maintain personal participant information, retirement plans are often a desirable target for cybercriminals. Due to the wealth of money and information that retirement plans hold, the DOL states that plan fiduciaries have an obligation to ensure that proper cybersecurity precautions are in place.
Source: Wnj.com, May 2021
The DOL addressed cybersecurity issues, not in the form of an advisory opinion, information letter, or a field advice bulletin, but rather in the form of three documents describing best practices for plan sponsors and plan fiduciaries, service providers to plans, and plan participants. There is no discussion of whether a participant's plan data is a plan asset under ERISA or the relative level of responsibility of a plan sponsor/plan fiduciary and a plan&'s service provider.
Source: Wagnerlawgroup.com, May 2021
The new guidance is intended to complement the DOL's May 2020 regulations on electronic records and disclosures to plan participants and beneficiaries. While the 2020 e-delivery regulations allowed retirement plans to rely on communications of retirement plan updates, benefit statements, and notices to participants and beneficiaries by electronic delivery, there was a recognition that such delivery created an increased risk of cybersecurity attacks. As a result, the DOL provided three sets of recommendations for the different parties involved in sharing sensitive retirement plan information.
Source: Icemiller.com, May 2021
The DOL issued its first cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers, and plan participants. As the guidance may be considered a "safe harbor" for fiduciaries to show compliance with their obligations under ERISA, plans should take steps now to review the way plan data is protected and revisit contracts with service providers to incorporate the DOL's recommendations accordingly.
Source: Truckerhuss.com, May 2021
The DOL has spoken "officially" for the first time regarding best practices for ERISA Plan fiduciaries regarding cybersecurity. Let's set the stage for why this is important news, then review the EBSA's suggested "best practices" for ERISA Plan sponsors, fiduciaries, and service providers, as well as plan participants and beneficiaries.
Source: Compliancedashboard.net, April 2021
If you are a service provider, and you have not already realized that your clients are going to start requesting your cybersecurity policy and procedures, this is your wake-up call. But, here's the good news – the DOL has left you a blueprint to follow. In the "Cybersecurity Program Best Practices," the DOL has outlined not only what a service provider should have, such as a formal Cybersecurity Program, but what these documents and best practices should include.
Source: Ferenczylaw.com, April 2021
The clouds have been forming on the horizon for years now: from the courts, we have seen emerging lines of ERISA litigation asserting fiduciary obligations to protect the privacy rights of participants, and from the regulatory agencies we have heard an acknowledgment of the need for guidance regarding fiduciary responsibility for cybersecurity risks. A call to action for plan fiduciaries came last week from the DOL in the form of new cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers, plan participants.
Source: Benefitsbclp.com, April 2021
The DOL issued new cybersecurity guidance to help retirement plan fiduciaries protect $9.3 trillion in assets held by employer-sponsored retirement plans. The DOL guidance confirms that fiduciaries have an obligation to evaluate the cybersecurity procedures of plan record keepers and other service providers.
Source: Ballardspahr.com, April 2021
In the face of cybersecurity challenges, many plan sponsors and administrators have considered ways to mitigate risk. In recent years, it has been suggested that the DOL should provide its perspective on fiduciary responsibilities for cybersecurity. Until now, the DOL has been largely silent on these matters but has now stepped into the discussion with three pieces of guidance aimed at three different audiences.
Source: Erisapracticecenter.com, April 2021
The DOL has prepared these best practices for use by recordkeepers and other service providers responsible for retirement plan-related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire.
Source: Dol.gov, April 2021
As part of its efforts to protect an estimated $9.3 trillion in retirement plan assets from increasing internal and external cybersecurity threats, the DOL has issued its first guidance ever concerning cybersecurity and retirement plans. The guidance is intended for three interested groups with a stake in retirement plan administration: the sponsors and fiduciaries of retirement plans, the entities providing administrative and other services to retirement plans, and plan participants and beneficiaries.
Source: Bradley.com, April 2021
The DOL issued guidance on cybersecurity for the first time to help plan sponsors, fiduciaries, service providers, and participants protect personal information and retirement assets. In the guidance, the DOL identifies evaluating cybersecurity practices as part of the plan sponsor's or other plan fiduciary's duty to prudently select and monitor plan service providers and states that ensuring proper mitigation of cybersecurity risks is a fiduciary obligation. The guidance is provided in three documents.
Source: Benefitsnotes.com, April 2021
The DOL issued much-anticipated cybersecurity guidance for employee retirement plans. This comes more than four and a half years after the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to guide employee benefit plans, shared with the federal DOL some considerations concerning cybersecurity. The essence of the guidance is reviewed here.
Source: Benefitslawadvisor.com, April 2021
Who exactly is responsible if a participant's balance is stolen? While that may not be exactly clear, a recent blog entry suggests that it may be prudent to take steps to protect participants' retirement accounts from cybercrime nonetheless.
Source: Asppa.org, April 2021
DOL Releases Cybersecurity Guidance for Plan Sponsors, Fiduciaries, Service Providers, and Participants
The DOL released a three-part guidance package on cybersecurity for plan sponsors, plan fiduciaries, service providers, and participants. This guidance comes on the heels of the Government Accountability Office report on cybersecurity risks for retirement plans released earlier this year. An EBSA news release accompanies the guidance release.
Source: Ascensus.com, April 2021
401khelpcenter.com, LLC is not the author of the material referenced in this digest unless specifically noted. The material referenced was created, published, maintained, or otherwise posted by institutions or organizations independent of 401khelpcenter.com, LLC. 401khelpcenter.com, LLC does not endorse, approve, certify, or control this material and does not guarantee or assume responsibility for the accuracy, completeness, efficacy, or timeliness of the material. Use of any information obtained from this material is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness. Reference to any specific commercial product, process, or service by trade name, trademark, service mark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by 401khelpcenter.com, LLC.