Cybercriminals’ recent focus on the large amount of assets in retirement plans has properly received much publicity. That focus, and the resulting theft of participants’ retirement plan accounts in several cases, led to a February 11, 2021 report from the Government Accountability Office (“GAO”). In that report, the GAO stated that it “is making two recommendations to DOL to formally state whether it is a fiduciary’s responsibility to mitigate cybersecurity risks in [defined contribution retirement] plans and to establish minimum expectations for addressing cybersecurity risks” in those plans.
In response, the DOL issued April 14, 2021 guidance that was the DOL’s first guidance directly addressing cybersecurity in retirement plans. On a broad level, the DOL’s position was that plan fiduciaries must mitigate cybersecurity risks in their plans. That guidance was unclear, however, as to whether it only applied to defined contribution retirement plans.
On September 6, 2024, the DOL published an update to that April 2021 guidance. The new guidance, which is Compliance Assistance Release No. 2024-01 (the “Release”), modifies the 2021 guidance by clarifying that such guidance and the Release apply “to all types of ERISA plans, including health and welfare plans and all employee pension benefit plans.” That is reflected in the following updated guidance in the Release:
Plan sponsors may wish to review this guidance and discuss it with their IT personnel and their plan’s service provider(s). Plan sponsors could also consider communicating the “Online Security Tips” guidance to plan participants (and to beneficiaries of deceased participants) and using that guidance in future educational campaigns.