As discussed in an earlier post, the Department of Labor’s Employee Benefits Security Administration (EBSA) released in April cybersecurity guidance directed at ERISA fiduciaries and plan sponsors. Those materials indicated that cybersecurity is a matter of fiduciary responsibility under ERISA, and the DOL has reportedly recently began issuing information and document requests that include questions regarding compliance with the recent guidance.
Audit requests now ask that plans provide “all documents relating to any cybersecurity or information security programs that apply to the data of the Plan, whether those programs are
applied by the sponsor of the Plan or by any service provider of the Plan.” This includes detailed documentation showing the specific actions taken by the plan’s fiduciaries and vendors, including descriptions of safeguards and controls.
The comprehensive inclusion of the cybersecurity guidance in DOL audits—along with a recent uptick in cyberattacks—should encourage plan fiduciaries to act promptly to ensure compliance.