In April, the U.S. Department of Labor (DOL) issued guidance providing tips and best practices to help retirement plan sponsors and fiduciaries better manage cybersecurity risks.1 Although the guidance has only been available for a few months, we recently learned of several investigations that the DOL has initiated regarding retirement plan cybersecurity practices.
The requests for information and documentation that we reviewed reveal the DOL is asking for all documents relating to any cybersecurity or information security programs that apply to the plan data used by the sponsor or by any plan service provider, information on any past cybersecurity incidents, information about the permitted uses of participant data (i.e., cross-selling or marketing products and services), and other documents as detailed below.
DOL’s document and information request sample
On audit, plan sponsors and fiduciaries must demonstrate that they followed a prudent process for ensuring that both they and their service providers have strong cybersecurity programs in place. Following is a sample of the documents and information requested:
- All policies, procedures or guidelines relating to:
- Data governance, classification and disposal
- The implementation of access controls and identity management, including any use of multi-factor authentication
- The processes for business continuity, disaster recovery and incident response
- The assessment of security risks
- Data privacy
- Management of vendors and third-party service providers, including notification protocols for cybersecurity events and the use of data for any purpose other than the direct performance of their duties
- Cybersecurity awareness training
- Encryption to protect all sensitive information transmitted, stored or in transit
- All documents and communications relating to any past cybersecurity incidents
- All security risk assessment reports
- All security control audit reports, audit files, penetration test reports and supporting documents, and any other third-party cybersecurity analyses
- All documents and communications describing security reviews and independent security assessments of the assets or data of the plan stored in a cloud or managed by service providers
- All documents describing any secure system development life cycle (SDLC) program, including penetration testing, code review and architecture analysis
- All documents describing security technical controls, including firewalls, antivirus software and data backup
- All documents and communications from service providers relating to their cybersecurity capabilities and procedures
- All documents and communications from service providers regarding policies and procedures for collecting, storing, archiving, deleting, anonymizing, warehousing and sharing data
- All documents and communications describing the permitted uses of data by the sponsor of the plan or by any service providers of the plan, including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services
Going forward
Plan sponsors and fiduciaries should consider the following actions to help prepare for a potential audit:
- Review the DOL cybersecurity tips and best practices and determine whether changes should be made to their procedures for hiring service providers.
- Review existing service provider cybersecurity standards, practices and policies to ensure they follow the DOL cybersecurity guidance; consider updating contracts to include the provisions recommended by the DOL for enhancing cybersecurity protection.
Plan sponsors should also determine whether they need to make changes to their own internal procedures for maintaining and protecting participant data in light of the DOL guidance. Similarly, they should review how they communicate the importance of cybersecurity with participants.
Footnote
1 See “DOL issues cybersecurity tips and best practices,” Insider, May 2021
