If the threat of a cybersecurity breach wasn’t enough cause for concern to take action, an inquiry by the Department of Labor might do the trick.
“We can confirm that the DOL has begun issuing information and document requests under this new initiative, and the requests are probing and indicate serious inquiry by the DOL,” attorneys at the law firm of Morgan Lewis write in a June 11 blog post.
According to the attorneys, the DOL is asking plan fiduciaries to produce “all cybersecurity and information security program policies, procedures and guidelines that relate to the plan, whether applied by the plan sponsor or by a vendor, as well as detailed documentation evidencing specific actions taken by the plan’s fiduciaries and vendors.”
The inquiries by the DOL come less than two months after the Employee Benefits Security Administration issued guidance April 14 on cybersecurity best practices for recordkeepers, plan sponsors and fiduciaries, participants and beneficiaries.
While EBSA has issued regulations on electronic records and disclosures to plan participants and beneficiaries in the past, this apparently was the first time it has issued specific cybersecurity guidance—and even then, the guidance was only in the form of recommended best practices and not formal guidance.
Publication of the best practice recommendations came less than a month after the Government Accountability Office called for definitive guidance from the DOL on the issue—noting that “the Department of Labor hasn’t clarified whether plan administrators are responsible for mitigating cybersecurity risks and hasn’t set minimum expectations for protecting personal information.”
“News of the DOL beginning this audit program should not come as a surprise. However, it is fair to say that both the pace with which the DOL has begun its audits and the depth and breadth of the initial round of requests is surprising,” the Morgan Lewis attorneys write.
In an April speech before the American Savings Education Council, DOL Acting Assistant Secretary Ali Khawar explained that while the cybersecurity guidance didn’t establish standards, the department thought it was important to share best practices it would like to see in terms of what each stakeholder group should be doing. Khawar had also noted that this is an important area and that the guidance is just the beginning of the department’s work.
Nonetheless, the news of the DOL initiating audits should serve as a call to action for plan sponsors and service providers, especially given the ongoing threat and increases in cybercrime.
