Following the publication of the guidance, cybersecurity audits are now a routine part of the Labor Department's investigative work, said Ali Khawar, acting assistant secretary of the agency's Employee Benefits Security Administration, in an email to Pensions & Investments.
The Labor Department does not want to make "blanket statements about the industry's preparedness based solely on the plans that we have audited," Mr. Khawar said. "It is fair to say, however, that based upon our experience, there are significant vulnerabilities. Those plans we have investigated have shown interest in improving their cybersecurity and implementing the principles set out in the department's guidance."
David Kaleda, a Washington-based principal at Groom Law Group, has had clients' cybersecurity practices investigated as part of routine probes by the Labor Department. When asking about a plan's cybersecurity procedures, Mr. Kaleda said the department's questions are "clearly gleaned from the guidance, so they're just kind of using it as a checklist, effectively, in their investigations."
Mr. Kaleda added, "The DOL was trying to make it clear that plans, plan sponsors and their service providers need to look at this, and I think the retirement business community has gotten the message and is definitely looking at it."
If the Labor Department finds cybersecurity deficiencies, it will require the plan sponsor or service providers to rectify the issue, Mr. Kaleda said. If the department believes that a participant incurred a loss, such as if an account balance was stolen due to the plan's poor policies and procedures, it likely would require restoration of the loss. It could impose a penalty on the plan in the event of a fiduciary breach resulting in a loss, he added.
The Labor Department guidance aligns closely with the SPARK Institute's standards, said Tim Rouse, Simsbury, Conn.-based executive director at SPARK, which represents retirement industry players such as record keepers, investment advisers, mutual fund companies and benefit consulting firms.
SPARK formed the Data Security Oversight Board, composed of industry stakeholders, that published a set of cybersecurity best practice standards in 2017.
Mr. Rouse said he expects the Labor Department to issue additional guidance and is hopeful fraud prevention is an area of focus.
Callan's Mr. Taylor, vice chairman of SPARK's Data Security Oversight Board, said the current guidance is an excellent starting point but "not an endpoint by any stretch."
Mr. Khawar said several times publicly that the 2021 guidance will not be the end of the department's work in the cybersecurity arena. When asked if further guidance or a rule-making initiative was possible, Mr. Khawar said in the email, "We may issue additional guidance in the future relating to topics and plans not specifically discussed in the guidance documents."
He added, "ERISA-covered plans hold trillions of dollars in assets and the personal data of more than 150 million American workers and their dependents. Without strong cybersecurity practices, these retirement assets and personal data are at risk. Unfortunately, plans are not immune from the same sort of cybercrimes that we have seen in so many other contexts."
Gloss