Retirement plan fiduciaries can expect to field questions and document requests about their cybersecurity practices and policies as part of the Department of Labor's Employee Benefits Security Administration's routine plan audits.
While EBSA investigators had opened inquiries into plan fiduciaries' cybersecurity practices in the past, since the department issued its first cybersecurity guidance in April, cybersecurity questions are now standard, said Ali Khawar, acting assistant secretary for EBSA, in a phone interview.
Mr. Khawar declined to get into specifics about the types of documents investigators are now seeking from plan fiduciaries because each case is "context specific."
But if plan fiduciaries read through the EBSA cybersecurity guidance and make an effort to comply, "I don't think they would be surprised by the kinds of questions they would get from our investigators," Mr. Khawar said.
The Labor Department on April 14 unveiled a three-piece guidance package detailing best practices for maintaining cybersecurity for plan sponsors, plan fiduciaries, record keepers and plan participants.
The first piece of guidance included tips for plan sponsors and fiduciaries on how to select a service provider with strong cybersecurity practices and how to monitor the service provider's activities. The tips include asking whether the service provider has experienced past security breaches, what happened and how the service provider responded, and making sure any contract with a service provider requires ongoing compliance with cybersecurity and information security standards.
The second piece of guidance was a list of 12 cybersecurity program best practices for plan sponsors and record keepers, such as having a reliable annual third-party audit of security controls and ensuring that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
The final piece was a set of online security tips for participants and beneficiaries when accessing a retirement account.
Broadly, "cybersecurity is about technology and it can be a very technical area, but if you take a step back and you think about the guidance that we issued, really that guidance is reaffirming very longstanding and very commonly understood principles," Mr. Khawar said.
But Matthew H. Hawes, a partner with law firm Morgan, Lewis & Bockius, is surprised the EBSA is asking plan fiduciaries about their cybersecurity practices this soon after issuing the guidance.
"Plan fiduciaries are still digesting this and they're still looking at their existing practices, procedures and policies, and evaluating them in light of the new guidance and making determinations whether there need to be any changes," Mr. Hawes said in a phone interview.
"To have a deep and fulsome audit initiative coming before fiduciaries have much of an opportunity to fully digest and address their own policies, procedures, guidelines and practices is really surprising and even a little bit unfair," he said. "But from the DOL's perspective, they might say, 'None of guidance should be all that surprising, we've always believed that this in the scope within the fiduciary's responsibilities.'"
In speaking with clients, Mr. Hawes said that some of EBSA's cybersecurity inquiries focus more on gathering information, while others ask for documents and much greater detail as outlined in the guidance.
"We don't know which direction or what the flavor of these audits is going to be as the initiative continues to evolve," Mr. Hawes said. "DOL audit initiatives may start out in one spot, but they can evolve over time."
Mr. Hawes said plan fiduciaries should review the guidance and understand the Labor Department's expectations to see if they need to make any changes to their cybersecurity practices and policies.
Looking ahead, EBSA intends to issue further cybersecurity guidance, Mr. Khawar said. "One of the things that we're going to continue to do outreach about and monitor as we continue along this path is where else guidance might be helpful," he said. "I think this is going to be an enforcement priority for the foreseeable future. It is a critically important issue."