We repeatedly warned over the past few months (here, here, and here), that officials at the highest levels of the DOL were signaling that the DOL would begin an audit initiative focusing on retirement plan cybersecurity practices. Despite plan fiduciaries having had just a handful of weeks to digest the DOL’s only actionable guidance on cybersecurity and privacy matters, the wait is over. We can confirm that the DOL has begun issuing information and document requests under this new initiative, and the requests are probing and indicate serious inquiry by the DOL.
News of the DOL beginning this audit program should not come as a surprise. However, it is fair to say that both the pace with which the DOL has begun its audits and the depth and breadth of the initial round of requests is surprising. Broadly speaking, the DOL audit requests that we have reviewed ask the plan fiduciary to produce all cybersecurity and information security program policies, procedures, and guidelines that relate to the plan, whether applied by the plan sponsor or by a vendor, as well as detailed documentation evidencing specific actions taken by the plan’s fiduciaries and vendors (including many that the DOL addressed in the three-part subregulatory guidance discussed in our LawFlash).
The fact that the DOL has already begun its cybersecurity audit initiative reiterates the urgency with which plan fiduciaries and service providers should consider acting on the DOL’s recent three-part subregulatory guidance addressing retirement plan cybersecurity practices. Plan fiduciaries that fail to act promptly on this guidance risk being surprised by the comprehensive nature of the cybersecurity audit requests being issued by the DOL.
If you receive a DOL audit request addressing cybersecurity issues or are deciding how to best address the DOL’s recent three-part subregulatory guidance, or if you have any questions about retirement plan cybersecurity practices generally, please feel free to contact the authors or your Morgan Lewis contacts.