Please note that log in for BLAW products will be unavailable for scheduled maintenance on Sunday, February 5th from approximately 4 AM to 5 AM EST.
Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

Retirement Plan Cybersecurity Audits Shock Unprepared Industry

June 28, 2021, 9:00 AM

The U.S. Department of Labor’s abrupt enforcement of retirement plan cybersecurity just two months after it first issued guidance on the issue has caught many in the industry off guard.

Investigators with the DOL’s Employee Benefits Security Administration this month began asking plan sponsors questions and seeking documents related to cybersecurity policies and procedures, according to law firms whose clients are the subject of those audits.

EBSA believes cybersecurity should be a chief concern for sponsors and service providers to protect an estimated $9.3 trillion worth of stored American retirement assets. Amid a growing online threat, the agency issued cybersecurity tips and best practices for the first time in mid-April and has since identified data enforcement as a top budget priority for the coming fiscal year.

But the speed by which the employee benefits regulator has turned its guidance into enforcement is alarming, attorneys say.

“This is shocking to us,” Jenny Holmes, deputy leader for the Nixon Peabody LLP Data Privacy and Cybersecurity team, said in an interview. “Usually when guidance is issued, we’d have at least a year to check ourselves before audits would begin. That doesn’t seem to be happening this time.”

Cybersecurity inquiries have been limited to ongoing audits. Attorneys who briefed Bloomberg Law on the audit requests say EBSA hasn’t yet launched a full-scale plan sponsor investigation into cybersecurity practices alone. Its cybersecurity enforcement so far has amounted to detailed questions and document requests that are in line with the tips and best practices it issued in April.

That’s a model the agency established during an ongoing missing participants enforcement program it launched in 2017. If it sticks to that enforcement design, the agency may dig in and instigate targeted cybersecurity audits at a later date.

“If my inbox over the past couple of days is any indication, plan sponsors are taking this seriously,” Holmes said. “They are taking a look at their policies and procedures to make sure they’re sufficient and reviewing agreements they have with recordkeepers to ensure they are protecting the data they have.”

Cyber Hygiene Priorities

An EBSA spokesman confirmed last week that cybersecurity has become a routine part of the agency’s retirement plan auditing process. The goal, the agency said in a statement, is not to recover losses from catastrophic security breaches but to help plans avoid them in the first place. Although cyber hygiene is only now becoming a part of EBSA’s enforcement prerogative, the fiduciary obligations at issue are not new.

“The time to pay careful attention to cybersecurity risks and mitigate them is right now,” the agency said. “The longer risks go unaddressed, the greater the likelihood of serious harm to retirement plans and their assets.”

EBSA’s audit requests are broad and comprehensive, said Elizabeth Goldberg, a partner at Morgan, Lewis & Bockius LLP in Pittsburgh. The agency has asked plan fiduciaries to produce cybersecurity and information security program policies, procedures, and guidelines that relate to the plan, whether applied by the plan sponsor or by a vendor.

In many cases, that’s not information plan sponsors have readily available, because much of the data about their participants is maintained by recordkeepers and plan custodians, she said.

Goldberg cautioned that it’s unclear what the agency’s motivations are and whether the questions it’s asking plan sponsors are part of an information drive or a clear warning sign that the industry must adhere to guidance whose ink has barely dried.

“I’m not surprised they’re enforcing it, but I was surprised it happened so quickly,” Goldberg said. “This subregulatory guidance just came out. My sense is that plan sponsors and service providers haven’t had an opportunity to digest the interpretations.”

A punitive regulatory approach without the standard notice-and-comment approach would be “unfair,” especially so soon after the best practices were issued, she said. For now, though, she’s just trying to get the message out far and wide that the cybersecurity audits she and her colleagues have been warning about for months now appear to be in full swing—well ahead of anyone’s expectations.

To contact the reporter on this story: Austin R. Ramsey in Washington at

To contact the editors responsible for this story: Martha Mueller Neff at; Travis Tritten at