In April 2021, Employee Benefits Security Administration division of the United States Department of Labor (“DOL”) issued cybersecurity related guidance intended to assist business owners and plan fiduciaries to prudently select and monitor recordkeepers, including:
While the guidance does not have the force of regulations it sets forth DOL’s position that plan fiduciaries have a duty to take precautions to mitigate cybersecurity risks. Since April 2021, DOL investigations of ERISA plan sponsors have included questions regarding the plan sponsor’s cybersecurity oversight of the plan’s vendors and the plan sponsor’s own internal cybersecurity protocols to protect participants’ confidential information.
The recent decision in Walsh v Alight Solutions, LLC, 2022 WL 3334450 (7th Cir. 2022) regarding the enforcement of a DOL investigative subpoena was triggered by alleged cybersecurity breaches involving retirement accounts of ERISA plan participants for which Alight Solutions, LLC’s (“Alight Solutions”) provides third party administrative services. Regardless of whether there are actual cybersecurity concerns at Alright Solutions, the DOL broad investigation of a third party administrator (Alight maintained that the subpoena “would require production of virtually every document concerning its ERISA business” and that “thousands of hours of work would be required to respond”) should be a red alert for the importance of good monitoring protocols for all plan vendors. Lapses in cybersecurity (or other operational issues) at a third party administrator may cause the DOL to open investigations of the third party administrator’s clients. If a client’s monitoring and internal cybersecurity protocols and practices are consistent with the April 2021 guidance, the client is likely to withstand DOL scrutiny.
The Alight decision is a reminder that plan sponsors need to (i) adopt good monitoring protocols for its retirement and health plan vendors, and (ii) do an internal audit regarding all systems used to maintain confidential employee/participant data that is shared with these vendors through electronic transmission.
[View source.]