Cybersecurity Attack Warning Clauses
(Retirement Plan) (Summary Plan Description)

Summary

Include these cybersecurity clauses in a qualified retirement plan's summary plan description. They provide language to warn plan participants of the dangers of cybersecurity issues relative to the plan's operation and recordkeeping. These clauses include practical guidance and drafting notes. Qualified retirement plans are especially susceptible to cybersecurity and data security attacks—including, for example, for distributions and loans. Plan sponsors and other fiduciaries must take steps to secure participation information provided to vendors in order to protect the security of plan information—as is consistent with their fiduciary duties under ERISA (especially that of the duty of prudence). As there has been limited guidance on the part of the Department of Labor when it comes to fiduciary responsibility regarding the protection of plans against privacy and risks of cybersecurity attacks, this topic has been one of much debate. For a listing of key content regarding cybersecurity issues in retirement plans, see Cybersecurity for Retirement Plans Resource Kit. For additional SPD language specific to internet fraud and advice on how to prevent such fraud, see Identity Theft and Internet Fraud Warning Clauses (Retirement Plan) (Summary Plan Description). For more information on cybersecurity and identity protection issues related to SPDs, see Privacy Risks for Retirement and Other Non-Health Benefit Plans. For additional language always required by law in an summary plan description, see Summary Plan Description Resource Kit. Also see ERISA Fiduciary Duties.