Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Alerts
    4. Well that was fast: The Department of Labor commences cybersecurity audit activity

      Alerts

    Alert / Data Privacy & Cybersecurity

    Well that was fast: The Department of Labor commences cybersecurity audit activity

    June 23, 2021

    LinkedInX (Twitter)EmailCopy URL

    By Jenny Holmes and Eric Paley

    The Department of Labor is moving quickly to audit cybersecurity protocols—businesses that have not yet addressed their cybersecurity practices and compliance plans must do so immediately.

    What’s the Impact?

    • Knowing the information that will likely be sought during an audit can help companies and plan sponsors tailor and revise their cybersecurity compliance plans.
    • Documented cybersecurity compliance efforts can minimize liability in the event of an audit. Experienced counsel can assist in creation and review of a comprehensive cybersecurity program.

    DOWNLOAD

    DOL cybersecurity audits (PDF)

    In April, the Department of Labor (DOL) issued its first guidance on cybersecurity practices for ERISA retirement plans. The guidance, which was largely in response to a U.S. Government Accountability Office report urging the DOL to issue cybersecurity recommendations, establishes the DOL’s minimum expectations for addressing cybersecurity risks.

    The guidance was issued in three parts: (i) Cybersecurity Program Best Practices; (ii) Tips for Hiring a Service Provider with Strong Cybersecurity Practices; and (iii) Online Security Tips. While all three parts of the guidance include tips and best practices, plans must make sure their practices and procedures are memorialized.

    The first two parts of the guidance intend to help plan sponsors manage cybersecurity risks, including how to prudently select service providers. The Cybersecurity Program Best Practices offers twelve action items plan sponsors and plan service providers should do. This includes having a formal, well-documented cybersecurity program, conducting annual risk assessment, and implementing strong controls to protect the data. The third piece provides tips for plan participants and beneficiaries to reduce the risk of loss, such as using unique passwords and multi-factor authentication.

    Generally, when the DOL or other regulators issue guidance like this, we would not expect to see audit activity for at least a year or two. However, we are already aware of several investigations that the DOL has commenced regarding cybersecurity practices. We are sharing a sample of requested documentation in one such investigation below.

    Cybersecurity is not infallible. Incidents will happen. What’s important—and what we believe the DOL will want to see—is the effort to prioritize cybersecurity. And given the recent audit activity, creating (or reviewing) your comprehensive cybersecurity program should be done sooner rather than later.

    Example DOL audit questions

    • All policies, procedures, or guidelines relating to:
      • Data governance, classification, and disposal
      • The implementation of access controls and identity management, including any use of multi-factor authentication
      • The processes for business continuity, disaster recovery, and incident response
      • The assessment of security risks
      • Data privacy
      • Management of vendors and third party service providers, including notification protocols for cybersecurity events and the use of data for any purpose other than the direct performance of their duties
      • Cybersecurity awareness training
      • Encryption to protect all sensitive information transmitted, stored, or in transit
    • All documents and communications relating to any past cybersecurity incidents
    • All security risk assessment reports
    • All security control audit reports, audit files, penetration test reports and supporting documents, and any other third-party cybersecurity analyses
    • All documents and communications describing security reviews and independent security assessments of the assets or data of the plan stored in a cloud or managed by service providers
    • All documents describing any secure system development life cycle (SDLC) program, including penetration testing, code review, and architecture analysis
    • All documents describing security technical controls, including firewalls, antivirus software, and data backup
    • All documents and communications from service providers relating to their cybersecurity capabilities and procedures
    • All documents and communications from service providers regarding policies and procedures for collecting, storing, archiving, deleting, anonymizing, warehousing, and sharing data
    • All documents and communications describing the permitted uses of data by the sponsor of the plan or by any service providers of the plan, including, but not limited to, all uses of data for the direct or indirect purpose of cross-selling or marketing products and services

    Please note that you may need to consult not only with the sponsor of the plan, but with the service providers of the plan to obtain all documents responsive to these requests. If you are unable to produce documents responsive to any of the forgoing, please specify the requests and the reasons for the non-production.

    Practices

    Cybersecurity & PrivacyLabor, Employment & BenefitsEmployee Benefits & ERISA

    Insights And Happenings

    • Alert

      Supreme Court issues highly anticipated ruling in defined contribution plan class action

      Jan 26, 2022
    • Alert

      The new standard contractual clauses are (finally) here

      June 8, 2021
    • Alert

      Biometric Privacy Legislation Proposed Again in New York

      Jan 15, 2021
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved