The Evidence Vault
Preparing for a DOL Cybersecurity Information Request
In the world of ERISA, there is a hard truth that every plan sponsor eventually learns: If it isn’t documented, it didn’t happen. You may have the most sophisticated encryption and the most expensive CISO on the market, but if you cannot produce the specific “written policy statements, procedures, and guidelines” requested during a Department of Labor (DOL) examination, you are effectively defenseless.
This guide is a methodical, step-by-step dissection of the actual information requests used in DOL audits. We aren’t just talking about “best practices” here; we are talking about the Evidence Vault—the specific body of documentation that proves you have fulfilled your fiduciary obligation to protect plan assets and participant data.
The “Paper Trail” of Prudence: Program Documentation
The DOL doesn’t just want to see a signed contract with a recordkeeper; they want to see the “All documents constituting or reflecting the Plan’s cybersecurity program”. This is the most expansive request in an audit, and it is where most fiduciaries fail.
1. Codifying the System
You must be able to produce written policy statements and procedures governing the IT systems that handle plan information. This includes everything from how you handle data disposal to how you manage vulnerability patches. The DOL is looking for a methodical system, not a collection of ad-hoc emails.
2. The Negotiation History
One of the most revealing requests is “Documents (e-mails, minutes, etc.) that discuss any efforts to consider, address, develop, implement, or negotiate cybersecurity problems, procedures, or protections”.
The Fiduciary Action: This proves you aren’t just a passive “check-signer.” The DOL wants to see that you actually negotiated for better security terms with your vendors.
The Record: You should be archiving every email chain where you questioned a service provider’s security posture or pushed for stronger encryption.
“Plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.”
Mapping the Battlefield: Data and Asset Schedules
You cannot protect what you haven’t mapped. The DOL requires a “Schedule of systems critical to the maintenance and protection of Plan participant data and assets”. This is more than just a list of software; it is a full inventory of your plan’s digital footprint.
3. Critical Data Descriptions
The DOL expects you to provide information sufficient to describe the “critical data” used by the plan, including payroll records, election forms, and electronic personnel records.
In-House vs. Outsourced: You must clearly show which systems are maintained in-house and which are outsourced to service providers, such as cloud email or recordkeeping platforms.
The “Shadow IT” Trap: You must specifically describe any spreadsheets used as critical systems (e.g., census data) and any file-sharing systems like shared folders on a network.
4. Email as an Administrative Tool
The DOL specifically asks how email is used to administer the plan. If you are sending unencrypted Social Security numbers or distribution forms via standard email, this request is designed to catch that vulnerability.
Validating the Vault: SOC Reports and Third-Party Audits
The DOL wants to see the “Plan, Plan Sponsor, and service provider reports of third party audits,” specifically citing SOC 1 or SOC 2 reports. This is your primary tool for “Vendor Oversight.”
5. Reading the SOC Report
It is not enough to have a SOC 2 report from your record keeper; you must be able to show that you reviewed it.
Specific Controls: The audit should cover access controls (who has admin privileges) and even physical controls, like whether the server room is locked.
Independent Assessments: The EBSA Best Practices emphasize that assets managed by a third party must be subject to independent security assessments. Your Evidence Vault should contain these reports for every major vendor.
The Response Framework: Breach and Disaster Recovery
When an incident occurs, the DOL doesn’t just ask what happened; they ask for the “Cybersecurity breach response plan”. This is the instruction manual for your team when the “golden years” of your participants are under threat.
6. The Anatomy of an Incident Record
If you have suffered a breach or even “suspicious activity,” you must produce documentation identifying the threat and showing:
Detection: How was the incident detected?
Reporting: Was it reported to law enforcement, insurance carriers (fiduciary/cyber), or fidelity bond carriers?
Notification: When and how were the participants notified?
Losses: Documentation showing any monetary losses incurred by the plan or the sponsor.
7. Restoration Procedures
The DOL will ask how data was restored in the event that PII or PHI was lost. This ties directly into your Business Resiliency Program, which must address business continuity, disaster recovery, and incident response.
The Human Barrier: Training and Roles
A vault is only as secure as the people who hold the keys. The DOL asks for a “List of persons in charge for overseeing cybersecurity” and documents reflecting “cybersecurity awareness training”.
8. Accountability and Certifications
For a program to be effective, it must be managed by a qualified CISO who establishes the vision and operation of the program. Your Evidence Vault should include:
CISO Qualifications: Documentation of their experience and necessary certifications.
Background Checks: Records of initial and periodic background checks for personnel handling sensitive data.
Need a hand with your security roadmap?
You shouldn’t have to navigate ERISA compliance alone. I’ve led security for global multinationals and $1 quadrillion in assets, and now I provide that same executive-level support to plans like yours on a fractional basis.
Fractional CISO: High-Stakes Security for Your Fiduciary Future
As a plan sponsor, you are legally responsible for the “prudent mitigation” of cybersecurity risks. But in a world of complex cloud systems, AI-driven fraud, and aggressive DOL audits, most fiduciaries feel they are flying blind.
9. Documented Training
The DOL wants to know “who developed the training” and its “frequency”.
Scope: The training must specifically cover the protection of Protected Health Information (PHI) and Personally Identifiable Information (PII).
Conduct: You must have documents “constituting or reflecting the conduct” of this training—meaning attendance logs and curricula, not just a verbal confirmation that it happened.
The Technical Core: Encryption and SDLC
Finally, the DOL dives into the “Technical Controls”. They want to see your processes for the encryption of sensitive data, both stored and in transit.
10. The Secure SDLC (For Internal Systems)
If you develop any systems internally, the DOL will ask for copies of your System Development Lifecycle (SDLC) controls.
The Methodical Approach: This proves that security assurance activities like code review and architecture analysis are an integral part of your development.
Efficiency vs. Chaos: A documented SDLC moves you away from chaotic “emergency” fixes and into a predictable, step-by-step process that builds security into the foundation of your software.
Conclusion: Building Your Vault Today
Preparing for a DOL audit isn’t something you do after you receive a letter from the Employee Benefits Security Administration. It is a daily fiduciary habit. By building your Evidence Vault according to these 10 areas of inquiry, you are doing more than just satisfying an auditor; you are creating a methodical, resilient environment that protects the hard-earned assets of your participants.
The Department of Labor’s questions are a roadmap. Follow them, document your actions, and you will move from a position of vulnerability to one of Fiduciary Sovereignty.
Whenever you’re ready, here is how I can help you:
Each offering beings with a 30 minute free intro call to understand your needs.
Fractional Plan CISO (vCISO): Ongoing “Prudent Person” security leadership for your plan assets.
DOL Audit Readiness: Bridging the gap between current controls and EBSA regulatory expectations.
AI Risk Assessment & Fiduciary Action: Identifying and mitigating the hidden risks in your vendor’s AI tools.