Choose Site
We repeatedly warned over the past few months (here, here, and here), that officials at the highest levels of the DOL were signaling that the DOL would begin an audit initiative focusing on retirement plan cybersecurity practices. Despite plan fiduciaries having had just a handful of weeks to digest the DOL’s only actionable guidance on cybersecurity and privacy matters, the wait is over. We can confirm that the DOL has begun issuing information and document requests under this new initiative, and the requests are probing and indicate serious inquiry by the DOL.
Addressing what they call the four major “crises” facing the nation—COVID-19, the economy, climate, and inequity—US President Joseph Biden and Vice President Kamala Harris have consistently framed many of their most important executive actions and policy proposals as attempts to prioritize one or more of these four policy concerns. Read our LawFlash for a recap of some of the more wide-reaching and impactful (or in some cases, potentially impactful) executive orders, legislative actions, policy proposals, and other developments during the first 100 days of the Biden-Harris administration.
The US Department of Labor (DOL) issued three long-awaited pieces of subregulatory guidance on April 14, addressing the cybersecurity practices of retirement plan sponsors, service providers, and plan participants, respectively. The guidance provides an important window into the DOL’s expectations of what ERISA’s prudence standards require with respect to cybersecurity matters.
Join Morgan Lewis this month for these programs on employee benefits and executive compensation.
There has been an increasing focus in recent years on the intersection of ERISA’s fiduciary duties and the issues of cybersecurity and data (including participant data) protection. Beyond the potential for pecuniary and reputational harm due to a breach, this interest has been driven by an increasing number of lawsuits in which plaintiffs allege that a plan fiduciary and/or service provider breached ERISA by failing to protect against a cybersecurity attack or data breach. 
Reversing a lower court’s decision, the US Court of Appeals for the Second Circuit issued an opinion in Cooper v. DST Systems, Inc., et al., finding that an arbitration agreement signed by an employee as part of his employment did not require that he arbitrate any fiduciary breach claims challenging the investment options and fees in his employer’s 401(k) plan. Read our recent LawFlash to learn more about the decision and the potential implications.
In a somewhat expected development, the US Department of Labor’s Employee Benefits Security Administration (EBSA) issued an enforcement statement on Wednesday announcing that it will not enforce the recently published final rules on “Financial Factors in Selecting Plan Investments”—commonly known as the ESG Rule—and “Fiduciary Duties Regarding Proxy Voting and Shareholder Rights” (Proxy Voting Rule).
Since 2012, US Department of Labor (DOL) regulations under ERISA Section 408(b)(2)—a statutory exemption from the ERISA prohibited transaction provisions—have required certain service providers to employer-sponsored retirement plans to make detailed disclosures about their services and related “direct” and “indirect” compensation to a “responsible plan fiduciary” of the plan.