PLANSPONSOR - December 2021 - January 2022 - 38

FIDUCIARY FORUM
The Cybersecurity
Challenge
Time to implement the DOL tip sheets and get prepared for enforcement
A
s we ring in the new year, we would love to tell our
retirement plan fiduciary readers that all is right with
the world of retirement benefits. Unfortunately, that's
not the case and cybercriminals are one of the reasons-they
are after your retirement plan participants' data and accounts. If
you haven't done so already, it's time to add a thorough cybersecurity
review to your plan committee's agenda. The good news
is that you have guidance to assist in fulfilling your fiduciary
duty to select and monitor those individuals and service providers
responsible for keeping plan participant data secure and confidential.
This guidance comes in the form of three Department
of Labor (DOL) tip sheets plus numerous cybersecurity-related
questions and document requests, which the DOL has been
sending to our clients that have retirement plans currently under
DOL investigation.
Plan fiduciaries can be challenged on this duty to monitor
cybersecurity issues, either in a breach of fiduciary duty lawsuit-
i.e., as part of a class action litigation filing against the plan
committee-or a DOL investigation. To respond to these challenges,
prudent plan fiduciaries have the opportunity to use the
information from the DOL's tip sheets and current retirement
plan investigations to establish a selection and monitoring process
with respect to the cybersecurity practices of any individual or plan
service provider with access to retirement plan participant data.
Regarding the three DOL tip sheets, which were issued in
April 2021, the first, " Hiring a Service Provider With Strong
Cybersecurity Practices, " is written specifically for fiduciaries.
It suggests tips to consider in the service provider selection and
monitoring process, including reviewing the provider's security
standards, asking questions about its real-life security practices
and recommending specific terms to think about including in
the retirement plan's contract with the service provider. The
other two tip sheets, " Cybersecurity Program Best Practices " and
" Online Security Tips, " give best practice recommendations for
providers and participants, respectively.
DOL Accelerates Investigations
The DOL has also recently told several of our clients under
investigation that it's now reviewing cybersecurity in all of its
cases. This means that prudent fiduciaries should be aware, in
advance, of the questions the agency will ask and the documents
it will request. Doing so will help demonstrate a prudent service
38 PLANSPONSOR.COM December 2021 - January 2022
provider cybersecurity monitoring process and also avoid a mad
scramble to supply that information to the DOL-i.e., this information
typically must be given within several weeks after the
DOL requests it.
The DOL document requests we have seen ask for many
different types of documents including emails discussing cybersecurity
procedures, protection or problems; written cybersecurity
policy documents; and information describing access controls,
physical controls and third-party
vendor involvement. We have
also seen the DOL ask numerous
written questions-in one
instance, over 40 questions.
The questions the DOL is
... the DOL
is now
reviewing
cybersecurity
in all of its
cases.
asking are much more detailed
and specific than the general
principles outlined in the abovedescribed
DOL tip sheets and
include requests for: written
policies, procedures or other documents governing the information
technology (IT) systems that handle plan information; information
on any event, breach or suspicious activity; information
regarding the key systems supporting employee benefits; information
regarding thirty-party vendors that provide outsourced
systems and plan sponsor oversight; timing and results of any
cybersecurity audit; the preparedness of the plan sponsor and
each vendor in the event of a breach or other emergency; and
the process/protections that the plan sponsor and each service
provider take to hire, train and monitor employees with access
to participant data.
Plan fiduciaries best protect themselves by identifying a fiduciary
issue and developing a prudent process to review and analyze
it. If you don't have someone from your IT or cybersecurity team
involved to assist the committee, now is the time. The committee
and IT leadership should consider reviewing the DOL tip sheets,
the list of DOL document requests and investigative questions,
and all of the prior information/activities the fiduciaries have
received or performed regarding the security of participant data.
Summer Conley is a partner in the Los Angeles office of Faegre
Drinker Biddle & Reath LLP. Michael Rosenbaum is a partner in
the firm's Chicago office.
Art by Joseph Ciardiello
http://www.PLANSPONSOR.COM

PLANSPONSOR - December 2021 - January 2022

Table of Contents for the Digital Edition of PLANSPONSOR - December 2021 - January 2022

INSIGHTS
RULES & REGULATIONS
UPFRONT
ESG Interest Piqued
2021 Best in Class DC Providers
Ramping Up Offerings
Annuities Still Misunderstood
Student Loan Repayment
FIDUCIARY FORUM
INSIDE ANGLE
PLAN PROFILE
PLANSPONSOR - December 2021 - January 2022 - Cover1
PLANSPONSOR - December 2021 - January 2022 - Cover2
PLANSPONSOR - December 2021 - January 2022 - 1
PLANSPONSOR - December 2021 - January 2022 - 2
PLANSPONSOR - December 2021 - January 2022 - 3
PLANSPONSOR - December 2021 - January 2022 - INSIGHTS
PLANSPONSOR - December 2021 - January 2022 - 5
PLANSPONSOR - December 2021 - January 2022 - RULES & REGULATIONS
PLANSPONSOR - December 2021 - January 2022 - 7
PLANSPONSOR - December 2021 - January 2022 - 8
PLANSPONSOR - December 2021 - January 2022 - 9
PLANSPONSOR - December 2021 - January 2022 - UPFRONT
PLANSPONSOR - December 2021 - January 2022 - 11
PLANSPONSOR - December 2021 - January 2022 - 12
PLANSPONSOR - December 2021 - January 2022 - 13
PLANSPONSOR - December 2021 - January 2022 - 14
PLANSPONSOR - December 2021 - January 2022 - 15
PLANSPONSOR - December 2021 - January 2022 - ESG Interest Piqued
PLANSPONSOR - December 2021 - January 2022 - 17
PLANSPONSOR - December 2021 - January 2022 - 18
PLANSPONSOR - December 2021 - January 2022 - 19
PLANSPONSOR - December 2021 - January 2022 - 2021 Best in Class DC Providers
PLANSPONSOR - December 2021 - January 2022 - 21
PLANSPONSOR - December 2021 - January 2022 - 22
PLANSPONSOR - December 2021 - January 2022 - 23
PLANSPONSOR - December 2021 - January 2022 - 24
PLANSPONSOR - December 2021 - January 2022 - 25
PLANSPONSOR - December 2021 - January 2022 - 26
PLANSPONSOR - December 2021 - January 2022 - 27
PLANSPONSOR - December 2021 - January 2022 - 28
PLANSPONSOR - December 2021 - January 2022 - 29
PLANSPONSOR - December 2021 - January 2022 - Ramping Up Offerings
PLANSPONSOR - December 2021 - January 2022 - 31
PLANSPONSOR - December 2021 - January 2022 - 32
PLANSPONSOR - December 2021 - January 2022 - 33
PLANSPONSOR - December 2021 - January 2022 - Annuities Still Misunderstood
PLANSPONSOR - December 2021 - January 2022 - 35
PLANSPONSOR - December 2021 - January 2022 - Student Loan Repayment
PLANSPONSOR - December 2021 - January 2022 - 37
PLANSPONSOR - December 2021 - January 2022 - FIDUCIARY FORUM
PLANSPONSOR - December 2021 - January 2022 - INSIDE ANGLE
PLANSPONSOR - December 2021 - January 2022 - PLAN PROFILE
PLANSPONSOR - December 2021 - January 2022 - Cover3
PLANSPONSOR - December 2021 - January 2022 - Cover4
https://www.plansponsordigital.com/plansponsor/december_2021_january_2022
https://www.plansponsordigital.com/plansponsor/october_november_2021
https://www.plansponsordigital.com/plansponsor/august_september_2021
https://www.plansponsordigital.com/plansponsor/june_july_2021
https://www.plansponsordigital.com/plansponsor/april-may_2021
https://www.plansponsordigital.com/plansponsor/february-march_2021
https://www.plansponsordigital.com/plansponsor/december-january_2021
https://www.plansponsordigital.com/plansponsor/october-november_2020
https://www.plansponsordigital.com/plansponsor/august-september_2020
https://www.plansponsordigital.com/plansponsor/june-july_2020
https://www.plansponsordigital.com/plansponsor/april-may_2020
https://www.plansponsordigital.com/plansponsor/february-march_2020
https://www.plansponsordigital.com/plansponsor/december-january_2020
https://www.plansponsordigital.com/plansponsor/october-november_2019
https://www.plansponsordigital.com/plansponsor/august-september_2019
https://www.plansponsordigital.com/plansponsor/june-july_2019
https://www.plansponsordigital.com/plansponsor/april-may_2019
https://www.plansponsordigital.com/plansponsor/february-march_2019
https://www.plansponsordigital.com/plansponsor/december_2018-january_2019
https://www.plansponsordigital.com/plansponsor/october-november_2018
https://www.plansponsordigital.com/plansponsor/august-september_2018
https://www.plansponsordigital.com/plansponsor/june-july_2018
https://www.plansponsordigital.com/plansponsor/april-may_2018
https://www.plansponsordigital.com/plansponsor/february-march_2018
https://www.plansponsordigital.com/plansponsor/december_2017-january_2018
https://www.plansponsordigital.com/plansponsor/november_december_2017
https://www.plansponsordigital.com/plansponsor/october_2017
https://www.plansponsordigital.com/plansponsor/september_2017
https://www.nxtbookmedia.com