Attorneys from Morgan, Lewis & Bockius LLP have confirmed that the Department of Labor (DOL) has begun an audit initiative focused on retirement plan cybersecurity practices.
In a blog post, the attorneys say the DOL has issued information and document requests to plan sponsors, “and the requests are probing and indicate serious inquiry by the DOL.”
The agency issued cybersecurity guidance for the first time in April. The guidance included three parts:
- tips for hiring a service provider with strong cybersecurity practices;
- cybersecurity program best practices; and
- online security tips for participants.
Although there’s not much new information in the DOL guidance from what had already been suggested by experts, according to Andrew Elbon, a partner with law firm Bradley, plan fiduciaries should ensure they are putting the DOL’s guidance in practice.
The Morgan Lewis attorneys say the DOL audit requests are coming at a fast pace and request a broad amount of information and documentation. The requests that the attorneys have reviewed ask for all cybersecurity and information security program policies, procedures and guidelines that relate to the plan, whether applied by the plan sponsor or by a provider, as well as detailed documentation of specific actions taken by the plan’s fiduciaries and providers, including many that the DOL addressed in its guidance.
“Plan fiduciaries that fail to act promptly on this guidance risk being surprised by the comprehensive nature of the cybersecurity audit requests being issued by the DOL,” the attorneys warn.