Not a day goes by without another news story about a cybersecurity incident compromising the data of a few million people. Although no longer big news, in the employee benefits world, cybersecurity had been largely back-burner even though cybersecurity claims have emerged as a new frontier in ERISA fiduciary duty litigation. On April 14, 2021, the DOL took a step forward to change all that issuing three separate “guides” aimed at 1) plan sponsors/fiduciaries; 2) participants/beneficiaries; and 3) plan service providers, along with a warning from the Acting Assistant Secretary for Employee Benefits Security of the “importance that plan sponsors and fiduciaries must place on combatting cybercrime.” In addition, the DOL has been repeatedly foreshadowing its intention to investigate retirement plan cybersecurity programs and practices and rumor has it that the DOL has begun to do exactly that.
So what should an employer or other plan fiduciary know and do right now? They must take ownership of their duties both 1) to protect participant data and plan assets within the sponsoring company or “in-house”; and 2) to ensure that “outside” service providers have strong cybersecurity practices that apply to their plans. See a more detailed article titled "Is Your Plan Cybersecure Right Now?" by Deborah Fabricant which lays out a plan of action for right now and the recent webinar on the topic by Deborah and Sherrie Boutwell.