In 2021, the US Department of Labor (DOL) issued cybersecurity guidance (the DOL Guidance) that sets out the DOL’s views on what processes fiduciaries of benefit plans regulated by the Employee Retirement Income Security Act of 1974, as amended (ERISA) should follow to protect plan assets and information from cybersecurity risks. In addition, the DOL has engaged in continuing enforcement efforts on such cybersecurity risks with respect to both retirement plans and health and welfare plans.

The DOL Guidance instructs ERISA plan sponsors and fiduciaries to take reasonable steps to protect plan assets and data from the risks of cybersecurity breaches and to ensure that plan vendors follow strong cybersecurity practices. The DOL guidance regarding vendor practices focuses primarily on recordkeepers, administrators, trustees, and custodians, although it refers to “other” vendors as well. This has raised questions about what cybersecurity standards apply to other vendors, such as providers of investment-related services.

For ERISA plans that utilize investments advisers, asset managers, and broker-dealers regulated by the US Securities and Exchange Commission (SEC), the SEC’s regulatory framework on cybersecurity may be a relevant metric for ERISA plan sponsors and fiduciaries evaluating those vendors’ cybersecurity practices.

A recent LawFlash summarized a proposed SEC rule for SEC-regulated entities regarding cybersecurity compliance. Among other things, the SEC rule requires regulated entities to notify individuals of unauthorized access to their sensitive customer information and to develop, implement, and maintain written policies and procedures for an incident response program. These rules provide an additional framework for evaluating the cybersecurity practices of such regulated entities by ERISA fiduciaries.