In 2021, the Department of Labor (DOL) issued cybersecurity guidance for ERISA-covered retirement plans. The guidance expands the duties retirement plan fiduciaries have when selecting service providers. Specifically, the DOL makes clear that when selecting retirement plan service providers, plan fiduciaries must prudently assess the cybersecurity of those providers.

On May 15, 2024, the Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P which governs the treatment of nonpublic personal information about consumers by certain financial institutions, many of which are commonly vendors and service providers to retirement plans. For example, the amendments reach broker-dealers, investment companies, registered investment advisers, and transfer agents. Importantly, the amendments establish specific cybersecurity requirements for these entities, requirements that retirement plan fiduciaries should be aware of.

Some of the key requirements include:

• Incident Response Program:
• Covered institutions must develop, implement, and maintain written policies and procedures for an incident response program.
• The program should be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
• Notice Requirements:
  • Covered institutions must provide notice to individuals whose sensitive customer information was accessed or used without authorization.
  • The notice must include details about the incident, breached data, and steps affected individuals can take to protect themselves.
  • Notice must be provided as soon as practicable, but not later than 30 days after becoming aware of the incident.
• Service Provider Oversight
  • Covered institutions establish, maintain, and enforce written policies and procedures reasonably designed to require oversight including through due diligence and monitoring of service providers.

The amendments also set forth requirements for maintaining written records document compliance with the requirements. There are different requirements for the retention period depending on the type of covered institution, but the minimum is at least 2 years.

The amendments become effective 60 days after publication in the Federal Register. Larger entities will have 18 months after the date of publication in the Federal Register to comply with the amendments, and smaller entities will have 24 months after the date of publication in the Federal Register to comply.

When assessing the cybersecurity of a retirement plan service provider that is a financial institution, plan fiduciaries may want to be aware of these requirements as part of their assessment process. For example, the changes to the SEC requirements for incident reporting may be useful to retirement plan sponsors as they consider their own incident response plans, should a data breach experienced by a 401(k) plan involve the data of their current and former employees.