On April 14, 2021, the Department of Labor’s (DOL) Employee Benefits Security Administration issued guidance on cybersecurity for the first time to help plan sponsors, fiduciaries, service providers, and participants protect personal information and retirement assets. In the guidance, the DOL identifies evaluating cybersecurity practices as part of the plan sponsor’s or other plan fiduciary’s duty to prudently select and monitor plan service providers and states that ensuring proper mitigation of cybersecurity risks is a fiduciary obligation. The guidance is provided in three documents:
- Tips for Hiring a Service Provider, which provides plan sponsors and fiduciaries with questions to ask before selecting a service provider and items to include in contracts with service providers;
- Cybersecurity Program Best Practices, which includes best practices for recordkeepers and service providers and can be used by fiduciaries to prudently select service providers; and
- Online Security Tips, which includes steps participants and beneficiaries can take to reduce the risk of fraud and losses to their retirement accounts.
The guidance is intended to complement the DOL’s regulations on electronic records and disclosures, which require a plan administrator using electronic disclosure to take steps reasonably calculated to protect the confidential information of participants and beneficiaries. For more information on the electronic disclosure regulations, see Stinson’s previous blog post: New DOL Electronic Disclosure Safe Harbor Offers Relief for Retirement Plans.
There has been a recent increase in litigation involving cybersecurity and retirement plans. Some of these lawsuits allege a breach of fiduciary duty by a plan administrator or plan sponsor for failing to prudently select and monitor service providers or by a service provider for failing to establish processes to prevent fraudulent withdrawals. Plan sponsors and fiduciaries should carefully review the new DOL cybersecurity guidance as part of broader measures to protect plan assets and personal information.