Why Retirement Plan Sponsors and Fiduciaries Need to Know about the SEC Cybersecurity Amendments

Jackson Lewis P.C.
Contact

In 2021, the Department of Labor (DOL) issued cybersecurity guidance for ERISA-covered retirement plans. The guidance expands the duties retirement plan fiduciaries have when selecting service providers. Specifically, the DOL makes clear that when selecting retirement plan service providers, plan fiduciaries must prudently assess the cybersecurity of those providers.  

On May 15, 2024, the Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P which governs the treatment of nonpublic personal information about consumers by certain financial institutions, many of which are commonly vendors and service providers to retirement plans. For example, the amendments reach broker-dealers, investment companies, registered investment advisers, and transfer agents. Importantly, the amendments establish specific cybersecurity requirements for these entities, requirements that retirement plan fiduciaries should be aware of.

Some of the key requirements include:

  • Incident Response Program:
  • Covered institutions must develop, implement, and maintain written policies and procedures for an incident response program.
  • The program should be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
  • Notice Requirements:
    • Covered institutions must provide notice to individuals whose sensitive customer information was accessed or used without authorization.
    • The notice must include details about the incident, breached data, and steps affected individuals can take to protect themselves.
    • Notice must be provided as soon as practicable, but not later than 30 days after becoming aware of the incident.
  • Service Provider Oversight
    • Covered institutions establish, maintain, and enforce written policies and procedures reasonably designed to require oversight including through due diligence and monitoring of service providers.

The amendments also set forth requirements for maintaining written records document compliance with the requirements. There are different requirements for the retention period depending on the type of covered institution, but the minimum is at least 2 years.

The amendments become effective 60 days after publication in the Federal Register. Larger entities will have 18 months after the date of publication in the Federal Register to comply with the amendments, and smaller entities will have 24 months after the date of publication in the Federal Register to comply.

When assessing the cybersecurity of a retirement plan service provider that is a financial institution, plan fiduciaries may want to be aware of these requirements as part of their assessment process. For example, the changes to the SEC requirements for incident reporting may be useful to retirement plan sponsors as they consider their own incident response plans, should a data breach experienced by a 401(k) plan involve the data of their current and former employees.  

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Jackson Lewis P.C.

Written by:

Jackson Lewis P.C.
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Jackson Lewis P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide