DOL Guidance on Employee Benefit Plans Cybersecurity Best Practices
Published March 8, 2023

DOL Guidance on Employee Benefit Plans Cybersecurity Best Practices

The Department of Labor (DOL) released new guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants on best practices for maintaining cybersecurity. For the first time, the DOL’s Employee Benefits Security Administration (EBSA) has issued cybersecurity guidance that complements the EBSA’s regulations on electronic records and disclosures to plan participants and beneficiaries.

An increase in data breaches is affecting businesses worldwide, especially those with valuable data stored online. The EBSA estimated 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants with approximately $9.3 trillion in assets as of 2018. The value of the assets and the online storage of participant and beneficiary information are attractive targets for cybercriminals.

Employee benefit plans operate in an electronic environment that shares employee information with multiple third parties. These systems maintain sensitive employee data including personally identifiable information (PII), electronic protected health information (EPHI), participant enrollment data, individual account balances, direct deposit information, compensation, and other financial information. This information is vulnerable to cybercriminals who could gain access to employee accounts online in an attempt to request loans and distributions or access participant and/or sponsor contributions.

In order to address these risks, the DOL provides the following three-part guidance:

Tips for Hiring a Service Provider

The purpose of the guidance for hiring service providers is to help plan sponsors and fiduciaries select providers that maintain strong cybersecurity practices. The guidance outlines six important questions to consider when hiring a service provider, including the provider’s security standards and policies, audit results, past security incidents, insurance policies, and contract agreements.

Cybersecurity Program Best Practices

This document is a 12-step guide of best practices for recordkeepers and other service providers responsible for plan-related IT systems and data. It also provides guidance for plan sponsors and fiduciaries during the service provider selection process. The guidelines highlight the importance of a plan’s service provider maintaining formal and well-documented cybersecurity programs; conducting annual risk assessments and third-party audits, as well as periodic cybersecurity training; and implementing strong controls in accordance with security best practices.

Online Security Tips

This set of nine basic rules for plan participants and beneficiaries aims to reduce the risk of fraud and loss to a retirement account. This guidance highlights the importance of

    1. Routinely monitoring one’s online account
    2. Maintaining strong and unique passwords
    3. Using multi-factor authentication
    4. Updating personal contact information in the system
    5. Removing unused accounts
    6. Exercising caution with free Wi-Fi
    7. Watching out for phishing attacks
    8. Using antivirus software and application updates
    9. Reporting identity theft and cybersecurity incidents

Cybersecurity breaches can have substantial financial consequences for plan sponsors, service providers, participants, and beneficiaries. Plan sponsors and service providers should be aware of the significant cost of detecting, investigating, and recovering from cybersecurity incidents. They should also understand the implications of potential violations of HIPAA and any fines and monetary settlements as a result of a data breach.

Additionally, plan fiduciaries could be found responsible for fiduciary breach and be required to restore losses to plan participants and beneficiaries. Plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974 (ERISA) have a fiduciary duty regarding the management of the plan. Such responsibility includes implementing processes and controls to restrict access to a plan’s systems, applications and data—including third-party records, and other sensitive information. Plan sponsors and fiduciaries also must understand and monitor the way their service providers store and protect participant data. The DOL’s new guidance, as well as the EBSA regulations on electronic records and disclosures, provide a roadmap for plan sponsors to maintain a secure electronic environment for their plan participants.

If you have questions about the new DOL guidance or cybersecurity best practices, one of our executive contacts would be happy to assist. For cybersecurity or any matter involving IT needs, our comprehensive risk management program, Overwatch, addresses all elements of IT infrastructure, process assessments, data governance, and risk management. You may email us below or call (800) 270-9629.

Authors & Contributors

Jenna Lawson

Executive Contacts

Interested in Learning More?

Sign Up for Our Latest Thought Leadership!

    Select Your Subscriptions