Plan sponsors, fiduciaries, and service providers are being asked by DOL investigators how their ERISA governed plans address cybersecurity concerns with increasing frequency. These requests may take the form of production requests or be included as questions in an interview. Investigators typically seek information or documentation related to prudent diligence relating to service provide information security protocols and indemnifications with the aim of keeping the participant's account balance intact. We have seen a sharp uptick in such inquiries ever since the DOL offered a set of best practices and tips earlier in 2021 (our summary of the best practices is available here). To date, DOL investigations have generally focused not only on the policies and procedures that plans and providers have in place to thwart cyber-criminals, but on the steps taken by plans and recordkeepers in response to cyber-incidents.
Concerns about account takeovers by cyber-criminals have also risen sharply as the pandemic has pushed many into remote work, delayed traditional postal service based identity verification, and stretched personal finances. This combination can lead to an increase in distribution requests, not all of which may be from the true participant. Efforts to educate fiduciaries and participants about these dangers have unfortunately also included enforcement inquiries, sometimes leaving the sponsors and fiduciaries at a loss as to how to respond.
It is important for benefit plan sponsors and service providers to take a proactive approach to cybersecurity and be prepared for a possible DOL investigation. Although the immediate attention has been on retirement plan, health and welfare plan sponsors and fiduciaries should also be prepared to field questions about cybersecurity from DOL auditors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
