In 2021, the Department of Labor (DOL) issued cybersecurity guidance for ERISA-covered retirement plans. The guidance expands the duties retirement plan fiduciaries have when selecting service providers. Specifically, the DOL makes clear that when selecting retirement plan service providers, plan fiduciaries must prudently assess the cybersecurity of those providers.
On May 15, 2024, the Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P which governs the treatment of nonpublic personal information about consumers by certain financial institutions, many of which are commonly vendors and service providers to retirement plans. For example, the amendments reach broker-dealers, investment companies, registered investment advisers, and transfer agents. Importantly, the amendments establish specific cybersecurity requirements for these entities, requirements that retirement plan fiduciaries should be aware of. More…