Cybersecurity: Department of Labor Guidance for Retirement Plan Sponsors
As sponsors of 401(k) and other retirement plans, employers typically rely on plan service providers (i.e. recordkeepers, trustees, etc.) to maintain plan accounts, keep participant accounts secure and participant data confidential. As fiduciaries, employers must act with the care and diligence under the circumstances as would a “prudent” person. Thus, it is imperative that employers retain retirement plan service providers that have strong cybersecurity practices. The Department of Labor (“DOL”) recently issued guidance to help employers meet their cybersecurity fiduciary responsibilities under ERISA.
In selecting a service provider, the DOL set forth the following inquiries an employer should make: 1) ask the service provider about its information security standards, practices, policies and audit results; 2) ask the service provider how it validates its practices and what levels of security standards it has met; 3) ask whether the service provider has had past security breaches and, if so, what corrective measures were taken; 4) ask the service provider about any insurance policies it has in place to cover any losses associated with cybersecurity and identity theft breaches; and 5) make sure the service provider has an ongoing program to maintain compliance with cybersecurity and information security standards. These same inquiries should be made with respect to any existing service providers.
Significantly, by providing this guidance for selecting service providers, the DOL is also setting forth what it believes is an employer’s expected fiduciary standard of care. Employers must be proactive to mitigate cybersecurity risk. In addition, employers should also take steps to inform plan participants on ways to keep their online information and accounts secure.
Contact

Before sending, please note:
Information on www.stites.com is for general use and is not legal advice. The mailing of this email is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Related Capabilities