The Advisors' Blog

This blog features wisdom from respected compensation consultants and lawyers

July 7, 2021

Sample Document Request from DOL Cybersecurity Investigations

Back in April, I blogged about DOL cybersecurity guidance directed at ERISA plan sponsors and fiduciaries. At the time, many took note that the DOL guidance could be an indicator that plan sponsors and fiduciaries might find themselves subject to scrutiny over cybersecurity practices in DOL investigations. This Nixon Peabody memo warns, that if you haven’t already done so, plan sponsors and fiduciaries should take action to shore up cybersecurity practices and compliance plans because the DOL has started investigations into cybersecurity practices.

Should an investigation commence and for insight about what the DOL might ask, the memo provides a sample document request from one DOL investigation:

All policies, procedures, or guidelines relating to:

  • Data governance, classification, and disposal
  • The implementation of access controls and identity management, including any use of multi-factor authentication
  • The processes for business continuity, disaster recovery, and incident response
  • The assessment of security risks
  • Data privacy
  • Management of vendors and third party service providers, including notification protocols for cybersecurity events and the use of data for any purpose other than the direct performance of their duties
  • Cybersecurity awareness training
  • Encryption to protect all sensitive information transmitted, stored, or in transit

All documents and communications relating to any past cybersecurity incidents

All security risk assessment reports

All security control audit reports, audit files, penetration test reports and supporting documents, and any other third-party cybersecurity analyses

All documents and communications describing security reviews and independent security assessments of the assets or data of the plan stored in a cloud or managed by service providers

All documents describing any secure system development life cycle (SDLC) program, including penetration testing, code review, and architecture analysis

All documents describing security technical controls, including firewalls, antivirus software, and data backup

All documents and communications from service providers relating to their cybersecurity capabilities and procedures

All documents and communications from service providers regarding policies and procedures for collecting, storing, archiving, deleting, anonymizing, warehousing, and sharing data

All documents and communications describing the permitted uses of data by the sponsor of the plan or by any service providers of the plan, including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services

Please note that you may need to consult not only with the sponsor of the plan, but with the service providers of the plan to obtain all documents responsive to these requests. If you are unable to produce documents responsive to any of the forgoing, please specify the requests and the reasons for the non-production.

– Lynn Jokela