The U.S. Department of Labor (DOL) announced in April new cybersecurity guidance (the Guidance) for protecting ERISA-covered plan data from internal and external cybersecurity threats. This Guidance is the first of its kind from the DOL and supplements DOL regulations that govern electronic records and disclosures to plan participants and beneficiaries.

The Guidance recognizes that plan sponsors and other fiduciaries have an obligation to mitigate cybersecurity risks, including by prudently selecting and monitoring service providers with strong cybersecurity practices. The Guidance is consistent with cybersecurity measures in existing law and other cybersecurity guidance, standards and best practices; however, it leaves open many questions, including how the Guidance might be used in the future (e.g., DOL enforcement activity and private party litigation).

Our recent client alert goes into detail on the three parts of the Guidance that come in the form of “tips” and “best practices.”