The Department of Labor ("DOL") continues to focus on cybersecurity in its audits and investigations – often asking questions that extend beyond the set of best practices and tips it published in 2021 (the “Best Practice Tips”) that apply to health and welfare and retirement plans (see our alert here).  We caution that the Best Practice Tips include requirements that go beyond HIPAA – such as evaluating public information about a service provider’s prior security incidents, litigation, and legal proceedings related to its services – so simply complying with HIPAA would not be sufficient.  The DOL’s inquiries also tend to extend beyond the general cybersecurity policies and procedures that employer plan sponsors have in place to include the employer's more granular procedures, such as its policies for handling portable devices, its maintenance schedules for systems that store plan data (e.g., payroll records and beneficiary forms), and its policy addressing password requirements. 

Plan sponsors can take the following steps to evaluate their preparedness for a DOL audit – 

1. Review Service Provider Agreements. Most plan sponsors have adopted a document or policy outlining the information security requirements for service providers that address the minimum standards regarding access, authentication, encryption, and notification of cyber incidents.  Plan sponsors should review agreements with service providers that store, create, or maintain employee and beneficiary personally identifiable information (“PII”) (e.g., social security numbers, bank account information, date of birth) and HIPAA-protected health information (“PHI”) to make sure they require compliance with the plan sponsor’s information security requirements. 
2. Audit Cybersecurity Program Documents.  Plan sponsors should review their cybersecurity program documentation and confirm that it addresses all the requirements outlined in Best Practice Tips. In addition to cybersecurity procedures, the DOL has requested documentation that discusses cybersecurity procedures and issues, such as emails and meeting minutes, so plan sponsors should conduct an exhaustive review of any cybersecurity-related documentation. 
3. Conduct Cybersecurity Training.  The DOL often requests documentation of cybersecurity training, such as training logs, training schedules, and copies of cybersecurity training documents.  Thus, plan sponsors should ensure employees are appropriately trained in cybersecurity procedures. 
4. Evaluate Cybersecurity Insurance Policies.  Plan sponsors should review their insurance policies (e.g., fiduciary insurance, cyber insurance) and fidelity bonds for scope of coverage and other guarantees regarding cybersecurity.  In particular, a close review of such policies can be beneficial to understand the scope of coverage, including whether social engineering or fraud losses are covered.  In audits, the DOL often requests insurance policies and documentation related to any claims on cyber-insurance policies.  
5. Review Cybersecurity Capabilities in the RFP Process.  Plan fiduciaries should review service providers’ cybersecurity capabilities and procedures at the RFP stage, as well as during their ongoing monitoring process.  The DOL often requests documentation related to the steps a plan sponsor took to evaluate the cybersecurity capabilities of service providers that will have access to, maintain, or create PII or electronic PHI as a part of the audit process.