401khelpcenter.com Logo

COLLECTED WISDOM™ on Cybersecurity Risks and Liabilities

This is a collection of articles, papers, and commentaries on cybersecurity risks and liabilities for employers, retirement plan sponsors and fiduciaries.

This archive contains not only the most current material on the topic, but also older items that are still relevant, provide background, perspective or are germane to the topic.

If you find a broken link or an items that you feel is outdate, irrelevant or no longer appropriate, please let us know.

To subscribe to our free weekly newsletter, enter your email address below then click the "Join" button.

Email Address:

NOTE: WE DO NOT SELL YOUR DATA OR EMAIL ADDRESS TO ANY ORGANIZATION.

    

Five Critical Components of a Cybersecurity Compliance Review

Cybersecurity should be top of mind for retirement plan fiduciaries, not only because the risks of a data breach or fraud are on the rise but also because the DOL has begun auditing retirement plans with a focus on cybersecurity. What's the best way for plan fiduciaries to mitigate risks while also demonstrating compliance with recent DOL guidance? Conduct a cybersecurity compliance review. This article outlines best practices for conducting such a review.

Source: Ifebp.org, September 2022

DOL Cybersecurity Investigations: The Trap Door to Endless Document Requests?

Parties involved in a DOL investigation often ask a simple question: how much information am I obligated to provide the DOL in response to an administrative subpoena? A recent decision, in the United States Court of Appeals for the Seventh Circuit, Walsh v. Alight Solutions, LLC, provides some guidance.

Source: Groom.com, August 2022

Why You Need Cybersecurity Insurance and How to Get It

The topic of cybersecurity insurance has crept to the top of the charts for the DOL's ERISA Advisory Council. Each year, the EAC picks topics it deems crucial to the administration of ERISA. For their May 6, 2022, meeting, they chose cybersecurity insurance and employee benefit plans as one of their topics. When the DOL and, specifically, the EAC take a closer look at a topic like cybersecurity insurance for those who handle employee benefit plan data, you can rest assured it will soon become a mandatory focus.

Source: Penchecks.com, August 2022

Cybersecurity Invades Employee Benefit Plan Administration

Cybersecurity is a tech-centric term that often makes business unit leadership's eyes roll. That response is risky because cybersecurity ranks among the most vital issues facing human resources, finance, and administration executives. Employee benefit plan leaders face a new era that requires administration and risk management behaviors that are not part of traditional fiduciary best practice thinking.

Source: Rolandcriss.com, August 2022

Another Cybertheft Lawsuit Spotlights 401k Recordkeeper Procedures

Several lawsuits have been filed against plan sponsors and their recordkeepers, including Estee Lauder, Abbott Laboratories, and recordkeeper Alight, as a result of the theft of plan participant assets. Those cases have not resulted in final decisions clearly defining the responsibilities of fiduciaries and service providers, but a newly filed lawsuit against Colgate-Palmolive and Alight provides another opportunity to do so.

Source: Cohenbuckmann.com, July 2022

Cybersecurity in the Committee Room

Cybersecurity is not merely a technology issue. For that reason, fiduciary committees must understand they have a legal duty to protect the personally identifiable information, personal health information, and assets of their employee benefit plans from exposure and to protect electronic systems from exploitation by hackers. Read how some fiduciary committees address the challenge.

Source: Rolandcriss.com, July 2022

A Very Scary Case of 401k Participant Theft

A Maryland man was indicted on money laundering charges in early June after he and accomplices allegedly hacked into the 401k account of an employee at a New Jersey-based company. They added a bank account belonging to another individual without the victim's knowledge or authorization.

Source: 401kspecialistmag.com, June 2022

DOL, Recordkeeper Square Off in Confidentiality Disputes

The DOL's cybersecurity investigation into Alight Solutions, a retirement plan recordkeeper, has queued up court rulings on the reach of the DOL's subpoena power that may have important implications for ERISA plan sponsors and their respective recordkeepers and service providers moving forward.

Source: Erisalitigationadvisor.com, June 2022

Cybersecurity and Retirement Plans

This learning deck will help you understand the latest guidance on cybersecurity for qualified retirement plans, adapt the tips for hiring a plan service provider, know cybersecurity program best practices for qualified retirement plans, and recognize the role of the financial advisor in cybersecurity.

Source: Fi360.com, June 2022

Data Breach Suit Targets Consultant

A consulting firm's data breach has triggered a second class-action lawsuit by an affected participant on behalf of a class of some 2,500,000 individuals. The suit, brought by plaintiff Greg Torrano, claims that 2,537,261 individuals signed up for benefits plans through their employers only to subsequently find out personally identifiable information, including names, birthdates, and Social Security numbers, had been stolen in a data breach.

Source: Ntsa-net.org, May 2022

12 Steps to Take Before and During a Data Breach

Employee benefit plans are attractive targets for hackers because they contain sensitive data, including health care information. The article outlines 12 steps to take before and during a data breach to ensure the best possible outcome for your employees and benefit plan participants as well as your organization as a whole.

Source: Ifebp.org, May 2022

DOL Pushes Back on Crypto, SDBA Concerns

The Department of Labor isn't backing down on its cryptocurrency concerns, but a written response to U.S. Sen. Tommy Tuberville includes some comments concerning its application to self-directed brokerage windows. The DOL's April 30 response to Tuberville's letter to Labor Secretary Marty Walsh from Acting Assistant Secretary of Labor Ali Khawar regarding the Compliance Assistance Release on cryptocurrency reiterates the motivation for the release.

Source: Napa-net.org, April 2022

Cybersecurity Risks: Where We Are and Steps to Take

Cyber criminals are as innovative as those who develop and refine the technology they manipulate—and now their targets include the retirement industry. Experts in a recent panel, and also in a report, weighed in on the tricks those criminals use and strategies that can help thwart them.

Source: Asppa.org, April 2022

401k Cybersecurity Risk Increases with Remote Workforce

401k cybersecurity risk exists for all retirement plans. However, having a remote workforce exponentially increases 401k cybersecurity risk. Remote employees present employers with multi-point networking exposure that has grown to be one of the bigger concerns about cybersecurity. The proliferation of remote workers can be traced back to the early stages of the Covid-19 pandemic. A new study shows that employers have work to do when it comes to mitigating 401k cybersecurity risk.

Source: 401ktv.com, April 2022

Learn How to Protect Your 401k Clients From Cyberattacks

Cyber insecurity is a serious problem. Only 76% of RIAs hold cyber insurance, leaving 24% unprotected in case of a breach in addition to being exposed to these threats. Of those with cyber insurance, the median coverage amount is only $1 million. These assets and the personal information that come along with them are even more vulnerable due to the numerous parties collaborating on them, from recordkeepers to payroll companies to TPAs to plan sponsors and everyone else in between. To combat these online threats, start by asking questions.

Source: Fiduciarydecisions.com, March 2022

Do Employers Need a CISO for ERISA Compliance?

As DOL investigators grapple with applying the Guidance along with their internal resources, it remains unclear whether they will be fixated on requiring in all cases an express designation of a Chief Information Security Officer by all retirement plan sponsors and plan service providers. Of course, it will be important for organizations to clearly define and assign information security roles and responsibilities. The lack of a CISO designation alone should not necessarily mean an organization's data security efforts are rudderless.

Source: Benefitslawadvisor.com, March 2022

Why Account Consolidation is Vital to Reduce 401k Cybersecurity Risk

With $10 trillion in 401k and other defined contribution retirement assets to safeguard, retirement industry regulators are intensely focused on the issue of cybersecurity. Account consolidation can lower retirement savings cybersecurity risks by minimizing the sheer number of fraud-prone, small-balance retirement savings accounts.

Source: 401kspecialistmag.com, March 2022

Data Privacy and Security: Key Concerns for Benefit Plans

In consideration of Data Privacy Day, it is the perfect time to take stock of retirement and health plan information. Here are some questions benefit plans should be asking concerning plan data.

Source: Groom.com, January 2022

Cybersecurity Preparedness Checklist for Plan Fiduciaries

401k plans face significant cybersecurity risks for which there is no federal safety net. Service providers are very much on the front line, but plan fiduciaries need to treat cybersecurity with the same high degree of diligence that they exercise with investment decision-making and all other plan administrative matters. The key to mitigating risk is conducting a self-assessment using the Cybersecurity Preparedness Checklist for Plan Fiduciaries and building a strategy around the results of that assessment.

Source: Mcdonaldhopkins.com, January 2022

Bridging the Gap Between the Retirement Plan Fiduciary Committees and IT

Technology-empowered threats to the security and confidentiality of retirement plan assets and data are exploding. Current fiduciary management methods largely lack a formal interface with the information technology function and its storehouse of expertise. These two realities demand that fiduciary committees embrace their enterprises' information technology departments in a new era of collaboration.

Source: Rolandcriss.com, January 2022

Court Enforces DOL Subpoena Seeking ERISA Plan's Cybersecurity Information

A district court has enforced an administrative subpoena issued by the DOL seeking an ERISA plan service provider's cybersecurity records. The subpoena is part of an investigation into the service provider after it allegedly processed unauthorized distributions as a result of cybersecurity breaches relating to its ERISA plan clients.

Source: Hodgsonruss.com, December 2021

Why Plan Sponsors Must Address Cybersecurity Now

With cybersecurity threats getting increasingly sophisticated and costly, plan sponsors can no longer afford to wait to address the threats to their retirement plans. In a Dec. 16 webinar by the Plan Sponsor Council of America, Daniel Aronowitz, Managing Principal with Euclid Fiduciary, and David Levine, Principal at the Groom Law Group, walked webinar participants through the different types of cyberattacks, as well as recent regulatory, legal and industry developments and how plan sponsors can protect themselves.

Source: Asppa.org, December 2021

Retirement Plan Participant Claims Harm From Transamerica Data Breach

In a lawsuit, he alleges the retirement plan service provider did not take steps to protect the personal information of participants in plans it serves.

Source: Planadviser.com, December 2021

Cybersecurity and Data Privacy for Benefit Plans

Failing to adequately address data privacy and security will likely result in a breach of fiduciary duty claim. Knowing there is sensitive data at risk, what should employers, plan administrators and their plans do? This article contains some helpful starting points.

Source: Clarkhill.com, December 2021

DOL Guidance on Cybersecurity: A Cautionary Note for Plan Sponsors

The DOL's cybersecurity best practices for plans covered by ERISA makes it clear that plan sponsors, service providers, and participants share responsibility for protecting plan accounts. The adoption and implementation of ERISA cybersecurity policies and procedures will be your best defense against fiduciary litigation and DOL investigations, which are certain to arise in the wake of the DOL's guidance. Here are some tips.

Source: Troutman.com, December 2021

DOL Seeks Information From Alight Solutions About Cybersecurity Incidents

Alight has been sued by retirement plan participants whose accounts were hacked, and the Department of Labor is investigating the provider's practices.

Source: Planadviser.com, December 2021

Federal Court Enforces DOL Subpoena

Shortly after the DOL's Employee Benefits Security Administration issued its cybersecurity guidance for employee retirement plans and updated its audit inquiries to include compliance with these guidelines, a federal court in Chicago ruled an employee benefit services provider must comply with a subpoena requesting, among other things, documents and communications relating to the provider's information security and cybersecurity plans and controls.

Source: Erisalitigationadvisor.com, November 2021

Provider Reviews, Contracts Emphasized in DOL Cybersecurity Guidance

Retirement plan fiduciaries often rely on their service providers to create the electronic systems used to maintain participant data and conduct electronic transactions involving plan assets, so the Department of Labor is paying special attention to these relationships.

Source: Planadviser.com, November 2021

Misuse of Participant Confidential Data

The DOL has become highly focused on the cybersecurity practices of plan sponsors and their service providers and has begun asking comprehensive cybersecurity questions in plan audits. It seems clear the DOL is concerned not just with theft of plan data or assets, but also with the misuse of confidential participant data.

Source: Wagnerlawgroup.com, November 2021

Surviving a DOL Cybersecurity Audit: A Cybersecurity Action Plan for 401k Fiduciaries

Whatever a particular fiduciary's degree of involvement with cybersecurity may be, the DOL's enforcement initiative should prompt the fiduciary to get ready for the scrutiny of their cybersecurity preparedness and oversight of the preparedness of their defined contribution retirement plan service providers, for example, 401k plan recordkeeper or institutional trustee. Whether a fiduciary has been highly engaged with cybersecurity or not, this is article outlines a fiduciary action plan.

Source: Keightleyashner.com, October 2021

Cybersecurity Preparedness Checklist for Plan Fiduciaries

Fiduciaries should complete this checklist for each service provider, for example, a payroll provider, 401k plan recordkeeper and administrative service provider, and an institutional trustee. Neither the DOL guidance nor this checklist ranks or assigns relative importance to the questions and practices it describes. To the extent questions in this checklist are answered in the negative, consideration should be given to potential changes in policy, procedures, contract terms, and/or monitoring, as appropriate. Answering "yes" to questions provides a degree of assurance but is no guarantee that fiduciary conduct would be considered prudent.

Source: Keightleyashner.com, October 2021

Strong Cybersecurity Policies Must Be a Firm Priority

Cybersecurity breaches are a growing concern among advisers, and, without sufficient protection, the benefits of America's workers may be at risk. With this challenge in mind, a recent panel discussion hosted by Fi360, a Broadridge company, detailed how to prepare a plan to keep up with current and future risks.

Source: Planadviser.com, October 2021

Cybersecurity Requests Appear in DOL Audits

Benefit plan sponsors and service providers need to take a proactive approach to cybersecurity and be prepared for a possible DOL investigation. Although the immediate attention has been on retirement plans, health and welfare plan sponsors and fiduciaries should also be prepared to field questions about cybersecurity from DOL auditors.

Source: Groom.com, October 2021

Small U.S. Retirement Plans Lagging in Cybersecurity Oversight

Fiduciaries at large, sophisticated plans tend to understand their responsibility and have resources and staff to regularly assess contractors' fraud and data controls. But smaller firms can be left in the dark. As recordkeepers continue to make cyber improvements, they may play an outsized role in helping their smaller clients keep up. One of the things they need to be doing is helping raise awareness to plan fiduciaries that they have this responsibility.

Source: Groom.com, October 2021

Specialist Advisers Say Cybersecurity Practices a Top Factor in Recordkeeper Selection

Nearly one-third (31%) of retirement plan recordkeepers expect to increase their cybersecurity staff, according to a Cerulli report. Industry stakeholders suggest the threat of retirement account fraud has increased in recent years, particularly during the remote work environment, Cerulli Associates says. And, even though the majority of recordkeepers act in a non-fiduciary capacity, Cerulli points out that courts have suggested that cybersecurity is a shared responsibility.

Source: Planadviser.com, October 2021

Recordkeepers Planning to Amp Up Cyber Staff

In response to an increased threat of retirement account fraud, nearly a third of recordkeepers expect to boost their cybersecurity staff going forward, a new report from Cerulli finds. Even though plan providers have always been subject to cyberattacks, this is an issue that has become more acute in recent years, particularly during the remote work environment when many employees are working on less secure home networks and personal devices during the pandemic.

Source: Napa-net.org, September 2021

Cybersecurity and DOL Document Requests

The DOL's "Cybersecurity Document Requests" reveal the DOL has been asking for quite an extensive list of documentation. Moreover, the DOL has noted that plan administrators should be aware that they may need to consult not only with the sponsor of the plan, but with the service providers of the plan to obtain all the documents requested, and if they are unable to produce the requested documents the plan administrator must specify the reasons why the documents are unavailable.

Source: Retirementlc.com, September 2021

The DOL's New Cybersecurity Audits and Informal Guidance

The DOL had begun asking cybersecurity questions on some plan audits in 2020 but recently began using a more comprehensive document request in plan audits. The DOL's cybersecurity document request to plan sponsors is broadly stated: "all documents relating to any cybersecurity or information security programs that apply to the data of the plan, whether these programs are applied by the sponsor of the plan or by any service provider to the plan."

Source: Wagnerlawgroup.com, September 2021

Plan Cybersecurity Guidance: DOL Enforcement Warrants Plan Sponsor Action

Benefit plan sponsors and plan fiduciaries should take note and act quickly. The Department of Labor has issued a new cybersecurity guidance package with far-reaching effects and has already begun including this in its enforcement efforts.

Source: Poynerspruill.com, September 2021

Best Practices for ERISA Fiduciary Responsibilities and Cybersecurity for Retirement Plans

In today's world, most transactions involving retirement plans are conducted electronically, including maintaining and sharing data across multiple platforms. Data and personally identifiable information have become increasingly vulnerable to attack as the information travels across employer and third-party systems. Plan fiduciaries must develop best practices related to cybersecurity. This requires thought and insight and depends on the facts and circumstances. This 12-page paper is an in-depth review of the issue.

Source: Mintz.com, August 2021

Developing a Prudent Process for Cybersecurity

Principals with Groom Law Group discuss steps retirement plan sponsors can take to avoid or be prepared for a DOL cybersecurity audit.

Source: Plansponsor.com, August 2021

How DOL's Cybersecurity Guidance Impacts Retirement and Health/Welfare Plans

The DOL issued cybersecurity guidance to plan fiduciaries and participants in the form of three separate documents. The first two documents included what amounted to checklists of provisions that plan sponsors should look for in their contracts with service providers such as third-party administrators, trustees, custodians, investment managers, and the like. The third document was directed more toward individuals. This article reviews steps a prudent fiduciary should consider.

Source: Quarles.com, August 2021

Cyber Insurance for 401ks Rises in Cost, Demand

Coverage is now harder to get, and it costs more, largely due to the higher volume of attacks that resulted in higher loss ratios for insurers.

Source: Investmentnews.com (registration may be required), August 2021

DOL Initiates Cybersecurity Retirement Plan Audit Initiatives

The DOL recently released its first-ever guidance on cybersecurity for retirement plans. Just a few months after issuing this guidance, reports are coming in that the DOL has issued information and document requests to plan sponsors that are "probing and indicate serious inquiry by the DOL." These requests are asking for all cybersecurity and information security program policies, procedures, and guidelines that relate to retirement plans, whether applied by the plan sponsor or by a provider, as well as detailed documentation of specific actions taken by the plan's fiduciaries and providers, including many that the DOL addressed in its guidance.

Source: Hallbenefitslaw.com, August 2021

Cybersecurity and Related Legal Risks Come Home to ERISA Plans

ERISA-covered plans have entered the digital world. As the amount of confidential information about plan participants that is stored in multiple information systems, and shared among plan service providers, increases, so, too, do the legal risks. The DOL has now made cybersecurity risk an enforcement priority; the courts have started to wrestle with whether participant data is a "plan asset." Plan sponsors and service providers should brace themselves.

Source: Stradley.com, August 2021

Texas Retirement Plan Hit by Cyber Theft

Another retirement plan cyber theft scheme has come to light and the perpetrators sentenced. This particular intrusion involved the Texas Employees Retirement System and the machinations of Olumide Bankole Morakinyo, 38, a Nigerian national residing in Canada, and Lukman Shina Aminu, a resident of New Hampshire, who created unauthorized accounts for participants in the Employees Retirement System of Texas internet portal.

Source: Napa-net.org, August 2021

Cybersecurity Best Practices for Employer-Sponsored Benefits

Cybersecurity is a major concern in the context of employer-sponsored benefit plans because plan participants' financial and personally identifiable information is maintained and shared with multiple parties. To help you assess and mitigate your organization's risk related to safeguarding this information, this article explores some important action steps.

Source: Ajg.com, July 2021

DOL Cyber Scrutiny Higher for "Those Running the Systems"

The DOL wants everyone to be attentive to cybersecurity protocols as a fiduciary responsibility, but there's a higher expectation for those "running the systems" according to Tim Hauser, Deputy Assistant Secretary for National Office Operations at the Department of Labor's Employee Benefits Security Administration.

Source: Napa-net.org, July 2021

DOL Provides Cybersecurity Guidance: Meeting Fiduciary Duty, and Avoiding Incorrect Advice to Plan Sponsors

Plan sponsors and fiduciaries have traditionally relied on advisers -- from attorneys to accountants to investment consultants -- to help guide decisions for their retirement plans. For decades, a cornerstone of this assistance has been making recommendations about retirement plan investment portfolios. With the rise of cyberattacks on financial institutions, many plan sponsors and their advisers have started to focus more time and resources on the security of their plan data, including the participant information held by service providers. The DOL also recognized the vulnerability of plans to cyberthreats and recently published three important documents.

Source: Georgetown.edu, July 2021

Cybersecurity: Another Responsibility for Retirement Plan Sponsors and Fiduciaries

The focus on cybersecurity implies that the DOL will start to hold plans and their fiduciaries accountable for cybersecurity. Besides the specter of a DOL enforcement action, this guidance should remind plan sponsors that if a cybersecurity breach ever impacts their plan, they need to be prepared. Class action lawsuits that argue that they chose the wrong service provider or that PII was misused or not protected are possible.

Source: Enterpriseiron.com, July 2021

DOL Plan Audits Updated to Include Several Questions About Compliance With Its Cybersecurity Guidelines

The DOL updated its audit inquiries to include probing questions for plan fiduciaries about their compliance with agency cybersecurity guidelines. So, what do those inquiries look like? In short, the DOL is asking plan sponsors to produce: "all documents relating to any cybersecurity or information security programs that apply to the data of the Plan, whether those programs are applied by the sponsor of the Plan or by any service provider of the Plan."

Source: Benefitslawadvisor.com, July 2021

Fiduciary Duty Is Coming to Privacy: Through Your Benefit Plans

While all businesses have been grappling with cybersecurity challenges for years, cybersecurity has recently come into focus for retirement plans, health and welfare plans, and other ERISA plans due to a new DOL cybersecurity initiative. The DOL has quickly followed up on this guidance by incorporating privacy and cybersecurity requests into its audits of employee benefit plans. This article outlines considerations for plan fiduciaries, including employers and investment or administrative committees, to document that they have followed a prudent process to protect the plan from losses from cybersecurity events and to protect the personal data of participants and beneficiaries.

Source: Kilpatricktownsend.com, July 2021

DOL Intensifies Cyber Readiness Inquiries Among Retirement Plan Administrators

In light of recent reports of an increase in cybersecurity inquiries by the DOL, retirement plan administrators should accelerate their preparedness strategies for avoiding and addressing cybersecurity attacks against retirement plans. Media outlets are reporting that the DOL has begun asking plan sponsors questions related to cybersecurity policies and procedures.

Source: Debevoise.com, July 2021

Cybersecurity for Plan Fiduciaries: Focus on Account Theft

Retirement account theft is one of the risks cropping up in the employee benefits community. If you are a plan sponsor or a plan fiduciary, it's important to make sure you've thought about how to address this risk that is now well above the horizon. As an ERISA fiduciary, you play a key role in helping your participants guard against the theft of their accounts at the hand of cybercriminals. Take the steps noted above and stay abreast of developments in this rapidly evolving area.

Source: Plansponsor.com, July 2021

Cybersecurity Enforcement Trends: A Fraught New Reality for Victims of Cyberattacks

The article discusses how regulators have shifted their focus from data breach notifications to overall cybersecurity preparedness. Authors highlight that where regulators previously focused on how companies responded to cyberattacks, they are now focusing more on whether and to what extent victimized businesses were adequately prepared to defend against attacks. They add that if the policies, procedures, and defenses businesses had in place were inadequate, regulators are increasingly pursuing enforcement actions, even in situations where a data breach did not occur or where individual consumers' personal identifying information was not improperly accessed or acquired.

Source: Faegredrinker.com, June 2021

DOL Ups Game on Cybersecurity Program Oversight, Begins Audit Initiative

In light of a new DOL audit initiative and increasing cybersecurity threats to ERISA benefit plans, ERISA plan sponsors and fiduciaries should be prepared to answer some important questions: Do the cybersecurity programs of you and your service providers comply with DOL guidance? Do your contracts with service providers include appropriate data protection provisions? Are you and your service providers doing enough to protect your employees and ERISA plan participants?

Source: Pillsburylaw.com, June 2021

The DOL Commences Cybersecurity Audit Activity

The Department of Labor is moving quickly to audit cybersecurity protocols. Businesses that have not yet addressed their cybersecurity practices and compliance plans must do so immediately. Example DOL audit questions provided.

Source: Nixonpeabody.com, June 2021

Protecting Employee Retirement Savings From Cyber Criminals

Companies that sponsor 401k plans have a fiduciary obligation to protect the individual retirement accounts of their employees from cyber theft. Currently, there are approximately 106 million defined contribution plans in the United States, which hold almost $6.3 trillion in employee retirement savings. Unfortunately, over the last couple of years, cyber theft has become an increasing risk for companies that sponsor 401k plans.

Source: Masudafunai.com, June 2021

Cybersecurity and Retirement Plans: What Plan Sponsors Need to Know (Webinar Recording)

With participant assets and retirement security on the line, cybersecurity weighs heavily on many retirement plan sponsors' minds. While the recently issued cybersecurity guidance from the DOL provides a roadmap to help prevent cyber threats, the heightened emphasis indicates that cybersecurity will likely remain a DOL focus for years to come. This webinar recording discusses DOL cybersecurity guidance and its impact on plan sponsors, effective approaches to evaluate and monitor plan providers, and the future of information security in the retirement plan space.

Source: Captrust.com, June 2021

Musings of Retirement Plan Fiduciaries on Cybersecurity: Episode One

Plan fiduciaries and their service providers likely have heard about the DOL's cybersecurity guidance. The Department of Labor's stepping into cybersecurity in this way has left plan fiduciaries with some questions. So, what are plan fiduciaries thinking? Here are snippets of conversations between plan fiduciaries that may provide some insight into that question.

Source: Benefitslawadvisor.com, June 2021

DOL Begins Its Cybersecurity Audit Initiative and It's a Doozy

The DOL has begun issuing information and document requests under their new cybersecurity practices initiative, and the requests are probing and indicate serious inquiry by the DOL. News of the DOL beginning this audit program should not come as a surprise. However, it is fair to say that both the pace with which the DOL has begun its audits and the depth and breadth of the initial round of requests is surprising.

Source: Morganlewis.com, June 2021

Cybersecurity Guidance Issued to Retirement Plan Sponsors

This first cybersecurity guidance from the EBSA signals its expectations around cybersecurity. Of note is the focus made on vetting and onboarding service providers. These cautions are particularly helpful when considering vendors who have automated protection processes and/or intimate knowledge of their client's IT systems. Plan sponsors and other fiduciaries with existing cybersecurity programs will want to compare their controls and vendor management programs to these three newly issued guidance.

Source: Eyeonprivacy.com, June 2021

Cybersecurity: Retirement Plan Sponsors Can Protect Themselves

The digital world has opened many doors, including some to theft and the abuse of information. When it comes to retirement plans and participant assets, cybersecurity has emerged as a significant area of focus. Read this to find out how plan sponsors can protect themselves and their participants while meeting fiduciary obligations.

Source: Captrust.com, June 2021

Protecting Participant Personal Data

Is the personally identifiable information shared with your retirement plan service providers safe? Many providers farm or harvest this data amongst their affiliates or others to market and solicit additional products or services. This gives the appearance that you, as the plan sponsor, endorse these additional products or services. Find out why allowing these practices may put you at risk of accusations of breaching fiduciary duties and what steps you can take to proactively protect yourself and your participants.

Source: Francisinvco.com, May 2021

Court Finds Sponsor Not Liable for Plan Account Theft

The US District Court for the Northern District of Illinois handed down a decision in Bartnett v. Abbott Laboratories, dismissing the plaintiff's claims against defendant sponsor fiduciaries in a case involving the theft of $245,000 in the plaintiff's Abbott retirement plan account. Particularly interesting for plan sponsors is the court's discussion of the sponsor fiduciary's standard of care concerning a plan provider's cybersecurity.

Source: Octoberthree.com, May 2021

The DOL's Cybersecurity Guidance in Practice

There's not much new information in the DOL guidance from what had already been suggested by experts; it has issued common-sense best practices that reflect the state of the industry. What is new is that the DOL has laid out thoroughly what it would expect plan fiduciaries to be looking for. "The DOL is saying, 'This is a fiduciary issue, and here's a road map.'"

Source: Plansponsor.com, May 2021

EBSA Privacy and Cybersecurity Guidance

The DOL's new guidance formalized its long-held view that retirement plan fiduciaries must ensure proper mitigation of cybersecurity risks. More specifically, the DOL expects retirement plan fiduciaries to select and monitor the cybersecurity practices of their service providers. Ten key takeaways and next steps.

Source: Employeebenefitsblog.com, May 2021

Cybersecurity Best Practices, DOL Style: Systems

A Secure System Development Life Cycle Program (SDLC) process ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the system development effort. The DOL has enumerated best practices in this regard which are outlined here.

Source: Asppa.org, May 2021

Cybersecurity Best Practices, DOL Style: Setting the Groundwork

Many general business practices that are the essence of sound governance and responsible business practice also are applicable in establishing strong security policies, procedures, guidelines, and standards. The DOL suggests considering several practices outlined here.

Source: Napa-net.org, May 2021

ERISA Cybersecurity Lessons for Employers

Retirement plans are increasingly subject to cybersecurity issues, and the DOL is taking notice. Also, litigation arising under ERISA involving cybersecurity threats has highlighted a plan administrator's duty to prudently select and monitor service providers. The DOL's best practices guidance includes many specific action points. Several of their recommendations are highlighted here.

Source: Ogletree.com, May 2021

DOL Provides Cybersecurity Guidance

Newly released documents offer plan sponsors, plan fiduciaries, recordkeepers, and plan participants direction for avoiding cyber theft. What you should know.

Source: Pnc.com, May 2021

A Long Time Coming: The DOL Issues Cybersecurity Guidance

Given that the majority of plan sponsors and fiduciaries likely already have existing service providers that aid in the administration of their benefit plans, plan sponsors and fiduciaries may consider amending the applicable service agreement to include some or all of the provisions recommended here to the extent there is not sufficient contractual protection under the existing agreement.

Source: Frostbrowntodd.com, May 2021

DOL Issues Cybersecurity Guidance For Retirement Plans

Because retirement plans hold a significant amount of money and maintain personal participant information, retirement plans are often a desirable target for cybercriminals. Due to the wealth of money and information that retirement plans hold, the DOL states that plan fiduciaries have an obligation to ensure that proper cybersecurity precautions are in place.

Source: Wnj.com, May 2021

Department of Labor Issues Cybersecurity Guidance

The DOL addressed cybersecurity issues, not in the form of an advisory opinion, information letter, or a field advice bulletin, but rather in the form of three documents describing best practices for plan sponsors and plan fiduciaries, service providers to plans, and plan participants. There is no discussion of whether a participant's plan data is a plan asset under ERISA or the relative level of responsibility of a plan sponsor/plan fiduciary and a plan&'s service provider.

Source: Wagnerlawgroup.com, May 2021

DOL Issues New Cybersecurity Guidance: A Step Towards Minimum Expectations

The new guidance is intended to complement the DOL's May 2020 regulations on electronic records and disclosures to plan participants and beneficiaries. While the 2020 e-delivery regulations allowed retirement plans to rely on communications of retirement plan updates, benefit statements, and notices to participants and beneficiaries by electronic delivery, there was a recognition that such delivery created an increased risk of cybersecurity attacks. As a result, the DOL provided three sets of recommendations for the different parties involved in sharing sensitive retirement plan information.

Source: Icemiller.com, May 2021

DOL Issues New Cybersecurity Guidance: What Plans and Service Providers Need to Know

The DOL issued its first cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers, and plan participants. As the guidance may be considered a "safe harbor" for fiduciaries to show compliance with their obligations under ERISA, plans should take steps now to review the way plan data is protected and revisit contracts with service providers to incorporate the DOL's recommendations accordingly.

Source: Truckerhuss.com, May 2021

12 Steps to Stronger Cybersecurity for ERISA Plans

The DOL has spoken "officially" for the first time regarding best practices for ERISA Plan fiduciaries regarding cybersecurity. Let's set the stage for why this is important news, then review the EBSA's suggested "best practices" for ERISA Plan sponsors, fiduciaries, and service providers, as well as plan participants and beneficiaries.

Source: Compliancedashboard.net, April 2021

DOL Issues Cybersecurity Guidance

If you are a service provider, and you have not already realized that your clients are going to start requesting your cybersecurity policy and procedures, this is your wake-up call. But, here's the good news – the DOL has left you a blueprint to follow. In the "Cybersecurity Program Best Practices," the DOL has outlined not only what a service provider should have, such as a formal Cybersecurity Program, but what these documents and best practices should include.

Source: Ferenczylaw.com, April 2021

ERISA Fiduciary Obligations Expanded to Include Mitigation of Cybersecurity Risks

The clouds have been forming on the horizon for years now: from the courts, we have seen emerging lines of ERISA litigation asserting fiduciary obligations to protect the privacy rights of participants, and from the regulatory agencies we have heard an acknowledgment of the need for guidance regarding fiduciary responsibility for cybersecurity risks. A call to action for plan fiduciaries came last week from the DOL in the form of new cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers, plan participants.

Source: Benefitsbclp.com, April 2021

DOL Issues New Cybersecurity Guidance for Retirement Plan Sponsors

The DOL issued new cybersecurity guidance to help retirement plan fiduciaries protect $9.3 trillion in assets held by employer-sponsored retirement plans. The DOL guidance confirms that fiduciaries have an obligation to evaluate the cybersecurity procedures of plan record keepers and other service providers.

Source: Ballardspahr.com, April 2021

DOL Steps Into the Cybersecurity Discussion

In the face of cybersecurity challenges, many plan sponsors and administrators have considered ways to mitigate risk. In recent years, it has been suggested that the DOL should provide its perspective on fiduciary responsibilities for cybersecurity. Until now, the DOL has been largely silent on these matters but has now stepped into the discussion with three pieces of guidance aimed at three different audiences.

Source: Erisapracticecenter.com, April 2021

Cybersecurity Program Best Practices

The DOL has prepared these best practices for use by recordkeepers and other service providers responsible for retirement plan-related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire.

Source: Dol.gov, April 2021

Cybersecurity: New DOL Guidance for Retirement Plans

As part of its efforts to protect an estimated $9.3 trillion in retirement plan assets from increasing internal and external cybersecurity threats, the DOL has issued its first guidance ever concerning cybersecurity and retirement plans. The guidance is intended for three interested groups with a stake in retirement plan administration: the sponsors and fiduciaries of retirement plans, the entities providing administrative and other services to retirement plans, and plan participants and beneficiaries.

Source: Bradley.com, April 2021

DOL Issues First Ever Cybersecurity Guidance

The DOL issued guidance on cybersecurity for the first time to help plan sponsors, fiduciaries, service providers, and participants protect personal information and retirement assets. In the guidance, the DOL identifies evaluating cybersecurity practices as part of the plan sponsor's or other plan fiduciary's duty to prudently select and monitor plan service providers and states that ensuring proper mitigation of cybersecurity risks is a fiduciary obligation. The guidance is provided in three documents.

Source: Benefitsnotes.com, April 2021

DOL Issues Cybersecurity Best Practices for ERISA Covered Retirement Plans

The DOL issued much-anticipated cybersecurity guidance for employee retirement plans. This comes more than four and a half years after the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to guide employee benefit plans, shared with the federal DOL some considerations concerning cybersecurity. The essence of the guidance is reviewed here.

Source: Benefitslawadvisor.com, April 2021

Protecting Balances From Cyber Thieves

Who exactly is responsible if a participant's balance is stolen? While that may not be exactly clear, a recent blog entry suggests that it may be prudent to take steps to protect participants' retirement accounts from cybercrime nonetheless.

Source: Asppa.org, April 2021

DOL Releases Cybersecurity Guidance for Plan Sponsors, Fiduciaries, Service Providers, and Participants

The DOL released a three-part guidance package on cybersecurity for plan sponsors, plan fiduciaries, service providers, and participants. This guidance comes on the heels of the Government Accountability Office report on cybersecurity risks for retirement plans released earlier this year. An EBSA news release accompanies the guidance release.

Source: Ascensus.com, April 2021


401khelpcenter.com, LLC is not the author of the material referenced in this digest unless specifically noted. The material referenced was created, published, maintained, or otherwise posted by institutions or organizations independent of 401khelpcenter.com, LLC. 401khelpcenter.com, LLC does not endorse, approve, certify, or control this material and does not guarantee or assume responsibility for the accuracy, completeness, efficacy, or timeliness of the material. Use of any information obtained from this material is voluntary, and reliance on it should only be undertaken after an independent review of its accuracy, completeness, efficacy, and timeliness. Reference to any specific commercial product, process, or service by trade name, trademark, service mark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by 401khelpcenter.com, LLC.


About | Glossary | Privacy Policy | Terms of Use | Contact Us

Creative Commons License
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.