Skip to main content

You are here


DOL Stepping Up Cybersecurity Focus

Regulatory Agencies

There’s been increasing awareness—and litigation—regarding cyber security and participant accounts—and the Labor Department has taken notice.

Sources tell us that plan audits are now asking to see employers’ written cybersecurity policies and procedures—and asking about cybersecurity attacks, and the response(s) to them.

Recent litigation involving Abbott Labs (see Plan Sponsor Back in Crosshairs of Data Breach Suit), Estee Lauder (Plan Sponsor Charged in 401(k) Account Theft), MandMarblestone Group (Court Backs TPA Counterclaim on Plan Sponsor in 401(k) Cyber Theft Case) and Boeing (Man Charged with Retirement Account Thefts) has highlighted the issue and the fiduciary duty to protect plan participants’ confidential information and safeguard participant’s accounts from cyber fraud.  

In a September Risk Alert from the Securities and Exchange Commission (SEC)’s Office of Compliance Inspections and Examinations (OCIE), the SEC cautioned that it has observed an increase in cyberattacks against registered investment advisers (RIAs) and broker dealers (BDs), which, in some cases, has resulted in the loss of customer assets and unauthorized access to customer information. 

Earlier this year the DOL issued a new rule titled “Default Electronic Disclosure by Employee Pension Benefit Plans under ERISA,” which provided safe harbor relief to plan administrators who satisfy specific conditions in delivering electronic communications, but in unveiling that rule also noted that “…the Department expects that many plan administrators, or their service or investment providers, already have secure systems in place to protect covered individuals’ personal information.”

Apparently those expectations are going to be “vetted.”

See also 5 Steps to Cyber Security and Cybersecurity More Effective if Regularly Reinforced, Study Says