In April 2021, the U.S. Department of Labor (DOL) issued its first-ever guidance to retirement plan sponsors, service providers and plan participants on cybercrime. Issued as “guidance” and not regulations, the tips suggested are a likely precursor to what may become minimum cybersecurity standards by law.
The U.S. Government Accountability Office (GAO) recently urged the Department of Labor to issue guidance identifying minimum expectations for mitigating cybersecurity risks. The GOA rightly recognized that while the pace of change in technology in our increasingly digital world has provided innumerable improvements to our personal and professional lives, those improvements are accompanied by a variety of cybersecurity risks. Retirement plan participant data and assets are a significant target of cybersecurity threats, and plan sponsors, recordkeepers, and service providers have a responsibility to protect accounts and personally identifiable information (PII).