As noted in our recent blog post, the US Department of Labor (DOL) has repeatedly signaled that it would be turning its focus toward the intersection of cybersecurity practices and ERISA’s fiduciary duties. On April 14, 2021, the DOL stopped signaling and started acting, issuing three pieces of subregulatory guidance addressing the cybersecurity practices of retirement plan sponsors, their service providers, and plan participants respectively. While this subregulatory guidance does not have the deferential authority of a regulation subject to notice and comment—or arguably even the persuasive authority of an Advisory Opinion—the guidance provides a window into the DOL’s expectations of what ERISA’s prudence standards require with respect to cybersecurity matters. This window is particularly important given the specters of a threatened DOL enforcement initiative focusing on cybersecurity and privacy issues, increased private litigation arising out of cybersecurity events, and the general uptick in cybersecurity events affecting employee benefit plans.