Last updated on May 25th, 2022

Of the many responsibilities Employee Retirement and Income Security Act (ERISA) plan sponsors, fiduciaries, and recordkeepers must uphold, one of the most challenging relates to cybersecurity to protect plan assets and plan participants’ information. The US Department of Labor (DOL) upped the ante associated with cybersecurity last year when it issued first-of-a-kind new guidance in April and, within several weeks, started auditing for compliance.

With cyber threats and attacks on the rise, in April of 2021 the DOL issued a three-part guidance package (Cybersecurity Program Best Practices; Tips For Hiring a Service Provider; and Online Security Tips) and specified plan fiduciaries are obligated to mitigate cybersecurity risks within their own operations, vendors’ operations and prospective vendors’.  To reinforce this guidance, the DOL began requesting information and documents to audit compliance.

According to the Employee Benefits Security Administration, as of 2018, there were an estimated 34 million defined benefit plan participants in private plans and 106 million plan participants in defined contribution plans with estimated American retirement assets exceeding $9 trillion. That’s an attractive target for cyber criminals and threats. The American Society of Pension Professionals and Actuaries indicates that while the April 2022 guidance was the first related to cybersecurity, it complements regulations on electronic records and disclosures to plan participants and beneficiaries about protecting personally identifiable information.

The DOL wasted no time reinforcing cybersecurity is one of its top priories. Within two months of issuing the guidance, it began requesting documents and information about plan cybersecurity policies and practices as part of retirement plan audits.

According to the Society for Human Resource Management (SHRM), the DOL asks for “all documents relating to any cybersecurity or information security programs that apply to the data of the Plan, whether those programs are applied by the sponsor of the Plan or by any service provider of the Plan.” This may include policies, procedures, and guidelines for access controls and identity management; processes for business continuity, disaster recovery and incident response; third-party providers’ management; cybersecurity training; data encryption; documents and communications about past incidents; service providers’ documents and communications regarding cybersecurity capabilities and procedures and how plan data is used, and more.

Bloomberg Tax created a cybersecurity audit checklist for plan fiduciaries based on the DOL guidance, and an action plan to promote compliance. It suggests fiduciaries should get informed about cybersecurity governance; get expert support when needed; identify data flow and storage; and assess fiduciary conduct to date.

Going forward, many sources indicate that while the immediate focus is on retirement plan assets and participants, fiduciaries and plan sponsors may want to prepare to uphold the same guidance for their health and welfare plans.

If you’re unsure about anything related to compliance with the guidance or audits, it’s always a good idea to consult your benefits legal counsel. For assistance with benefit plan accounting, taxes, and audits, you can trust RBT CPAs – a leading provider in the Hudson Valley for over 55 years.