Subpoena: Cybersecurity Records Please



That’s what retirement plans are receiving from the Department of Labor (DOL). Given the stepped up expectations on cybersecurity over the past year, scrutiny of policies and practices is becoming part of the investigation and audit process. Experts share a recent case example and urge plan sponsors and their service providers to update cybersecurity protocols.


Case In Point

According to JD Supra, an administrative subpoena that the DOL issued a service provider to obtain cybersecurity records has been enforced by a district court. The service providers argued, among other things,“compliance would be extremely burdensome,” but the court was not impressed. As JD Supra reports: The subpoena is part of an investigation into the service provider after it allegedly processed unauthorized distributions as a result of cybersecurity breaches relating to its ERISA plan clients. Moreover, it is alleged that the service provider…did not immediately report the cyber breaches and the related unauthorized distributions to its clients…and instead waited months to notify the plans.”


Unauthorized Distributions?

As fiduciaries, plan sponsors need to stay on top of what service providers are doing to prevent fraudulent distributions from retirement accounts. Andrew Williams, Partner at Golan Christie Taglia LLP, counsels: “verify that plan service providers adequately protect participant account information with secure systems and practices to stop unauthorized distributions by generating security alerts (and participant notices) when there are changes in account information such as new passwords and access devices — as well as distribution requests.” If you are not sure where to start in working with your service providers, ask for the System and Organization Control (SOC) report. Review it to  deepen your understanding of the security controls in use and the potential risks that might still be in need of attention. You can then discuss it with your service providers, agree on further actions—and document your process.


Another important best practice for plan sponsors is obtaining fiduciary liability insurance. Even defense against allegations of a fiduciary lapse are costly and disruptive. Colonial Surety is here to help with affordable fiduciary liability insurance which covers the business—and the plan sponsor—against claims of alleged or actual breaches of duty in connection with the employee retirement plan. Colonial even includes cyber liability insurance—and the annual premium for this comprehensive protection is less than just an hour or two with an ERISA lawyer will cost if you are subpoenaed or faced with allegations. Get covered today:


Choose Your Plan Sponsor Liability Protection Here.


Vetting Cybersecurity Practices?

Yes, that’s what plan sponsors are expected to do, which can be particularly challenging for small businesses. As one legal expert told Bloomberg Law: “The plan fiduciaries are the ones who have the ultimate responsibility to mitigate risk…It’s up to them when they hire someone to keep records and to consider a lot of factors, including cybersecurity…Plan sponsors who may lack the training or experience needed to vet another company’s cyber practices are still legally bound to do so.” Accordingly, experts stress the importance of plan sponsors reviewing the cybersecurity guidance the U.S. Department of Labor (DOL) provided in 2021 and suggest specific action steps in response. For example, the use of multiple authentication before participants access their retirement accounts is an effective safeguard against fraudulent distributions. Some service providers have even begun using video for authentication.


Cyber Breach Response Plan?

While finding out what all of your service providers are doing to increase the cybersecurity of the retirement plan, do not neglect your own efforts. With Colonial’s help, you can put a cyber breach response plan in place, affordably, today. Remember, a cyber breach is not always a disaster but mishandling it is. In fact, cyber breaches can also lead to allegations of fiduciary breaches. That’s why Colonial Surety’s multi-year protection packages for plan sponsors conveniently come with cyber liability insurance. Choose your package today. Then, in the event of a cyber breach at your business, experts will identify what’s been comprised and coordinate the response. Liability protection in the event of covered lawsuits or regulatory actions due to a data breach is included too.


Colonial’s multi-year packages provide the greatest convenience and value, ensuring continuous compliance and protection. Packages include:

  • The required ERISA bond which protects the assets of the retirement plan from theft;
  • Fiduciary Liability coverage to protect you and your assets from personal liability; and,
  • Cyber Liability coverage to safeguard your company and plan from covered losses and expenses in the event of a cyber breach.


Obtain Complete Protection Package Now

Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure legally required ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.