To embed, copy and paste the code into your website or blog:
On April 14, 2021, the Department of Labor (DOL) issued its first set of guidance documents related to the cybersecurity of retirement benefit plans covered by the Employee Retirement Income Security Act (ERISA). The three-part guidance is aimed at various stakeholders—plan fiduciaries, service providers, plan participants and beneficiaries—and provides cybersecurity expectations for plan fiduciaries and best practices for their service providers.
Cybersecurity has become an area of critical importance to plan sponsors and administrators of employee benefit plans, as well as their service providers, as they increasingly rely on the Internet and IT systems to administer those plans. In a February 2021 Government Accountability Office (GAO) Report, the GAO, an independent and non-partisan U.S. legislative agency that monitors and audits government spending and operations, highlighted the significant cybersecurity risks to benefit plans and called on the DOL to clarify responsibilities for fiduciaries and provide guidance related to minimum cybersecurity expectations. Although DOL’s recent guidance is “sub-regulatory guidance,” which does not have the authority of federal agency regulations under the Administrative Procedure Act (APA), the guidance presents DOL’s first official action focused on mitigating the significant cybersecurity risks to participant data and plan assets.