Cybersecurity and Audits?



Show me! Three years in, that’s what the Department of Labour (DOL) is asking businesses vis a vis responsiveness to its 2021 guidance on cybersecurity. Specifically, plan sponsors need to be ready to present both the company’s policy to protect the plan–and documentation of how the policy is implemented. 


Intersections: Cybersecurity and Fiduciary Obligations

Groom Law Group’s Alison Itami reminds us that although ERISA law predates the digital workplace, plan sponsors, as fiduciaries, must take cybersecurity ever more seriously, especially since cybercrime is on the rise:


ERISA, enacted in 1974, does not explicitly address a fiduciary responsibility for cybersecurity. It’s not surprising, since people didn’t think much about cybersecurity in the 1970s ….“But obviously, there is a fiduciary duty to make sure that the plan assets are used for the payment of benefits and plan expenses…. Part of that is protecting those assets from hackers and fraud.”

Since releasing cybersecurity guidance in 2021, the DOL has been including documentation requests for security protocols with audit requests sent to plan sponsors. Itami predicts regulators are now “deciding what to do with all the cybersecurity information submitted by plan sponsors,” and anticipates cybersecurity will “start becoming a part of all retirement plan audits.” ERISA experts are urging retirement plan sponsors to act accordingly, ensuring that the company has both a cybersecurity policy to protect the plan, and documented action aligned to the policy:


The work requirement to follow all the DOL’s cybersecurity guidance is substantial. Many organizations don’t have the resources to comply fully, or they don’t feel an urgency to put their resources toward it, said Jon Meyer, chief technology officer at CAPTRUST in Raleigh, North Carolina. “The DOL’s investigators are auditors first, and they are going to say, ‘Show me what your policy is, and then show me that you live up to your policy,’” Meyer said. “The hard part for the employer is to show that it does live up to its policy. People get into trouble when they copy a cybersecurity policy from another organization or get it off the internet, but they don’t actually execute on that policy.”

Assuming a business already has an enterprise-wide cybersecurity plan, Stephen Wilkes, of Wagner Law Group says it is possible for plan sponsors to build on that, adding specific protections for the retirement plan: “The added layer here is, on top of what their organization is doing already, what are the additional cybersecurity responsibilities they have with regard to the retirement plan itself?” Plan sponsors are cautioned to refrain from assuming that their reputable service providers have cybersecurity well in hand: “The plan sponsor needs to come up with a risk-based approach to document what steps it took with each of the plan’s providers to assess the provider’s cybersecurity….” Given the fiduciary principles of loyalty and prudence, consistent monitoring is essential, as attorney Joseph Lazzarotti underscores:

For years, major financial institutions that work on retirement plans have invested a lot of time and money to build and maintain safeguards that prevent bad actors from stealing participant assets or data. But the assumption some sponsors make that their plan uses Well-Known Vendor X, and so they can simply trust that this large vendor must maintain strong cybersecurity protections, is faulty, Lazzarotti said. “That’s not what the DOL has in mind,” Lazzarotti added. “A plan fiduciary still has to act prudently: do their due diligence, document that they’ve done their due diligence, and make prudent decisions.”

Even while busy using the DOL’s recommended cybersecurity protocols to hire and monitor service providers, plan sponsors cannot ignore the cybersecurity practices in their own businesses. Absent a magic wand, remember that mutifactor authentication and continuous training are best practice:“a consistent and regular training program remains the most effective way to ensure that people are prepared for the evolving dangers.” Of course it’s also wise for plan sponsors to protect their own personal and business assets from the repercussions of fiduciary breach allegations, including those resulting from cyber incidents. Protection is possible and affordable with Fiduciary Liability Insurance from Colonial Surety Company, where a one-year policy, inclusive of 50k Cyber Liability Insurance, costs less than an hour of ERISA defense attorney fees.


Colonial Surety’s efficient Fiduciary Liability & Cyber Liability Insurance packages are specifically designed to help plan sponsors with:



  • DOL Compliance: Colonial’s coverage includes an expert response plan, which is specific best practice recommended by The Department of Labor to prevent cyber incidents from turning into fiduciary breaches. 




  • Comprehensive Protection: All our packages include Fiduciary Liability Insurance, ensuring your business and personal assets are shielded from the repercussions of fiduciary breaches under the high standards of ERISA.




  • Cost-Control: Our packages are available for 1, 2, and 3-year terms, providing flexibility and locked-in rates.



Minimize Your Risks with Maximized Protection Now:

Fiduciary and Cyber Liability Insurance HERE 


Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.