{ Banner Image }

Department of Labor Releases Employee Benefits and Cybersecurity Best Practices

IT manOn April 14, 2021, the U.S. Department of Labor’s (“DOL’s”) Employee Benefits Security Administration (“EBSA”) issued its first cybersecurity best practices guidance for retirement plans. The EBSA guidance has been highly anticipated as the frequency and cost of data breaches affecting employee benefit plans continues to rise. The EBSA guidance focuses on actions that plan sponsors, plan fiduciaries, record-keepers, and plan participants can take.

Specifically, the three-part guidance provides: (1) tips for hiring third party service providers with strong cybersecurity practices, (2) cybersecurity program best practices, and (3) online security tips for employee benefit plan participants.

The Employee Retirement Income Security Act (“ERISA”) imposes certain fiduciary duties on plan fiduciaries with respect to recordkeeping and the selection and monitoring of service providers. As recently as February, 2021 the Government Accountability Office urged the DOL to state whether it is a fiduciary’s responsibility to mitigate cybersecurity risks. Notably, and for the first time, the EBSA best practices guidance states that “[r]esponsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.” Therefore, plan fiduciaries should, for example, conduct proper due diligence to confirm service providers adhere to prudent cybersecurity practices and procedures to protect the plan participants’ information, data, and accounts. Plan fiduciaries should also monitor the vendor’s adherence to these practices on an ongoing basis.

Below, we summarize the guidance.

Third Party Service Providers

Hiring a service provider can be a long and arduous task, but the obligation to mitigate cybersecurity risks means that these risks cannot be overlooked. Specifically, some of the tips provided by the EBSA include:

  • Asking the vendor how it secures data;
  • Inquiring about previous data breaches or security incidents that the vendor may have experienced;
  • Investigating the level of insurance carried by the provider that would cover losses caused by cybersecurity or identity theft breaches – and whether those policies will cover the costs associated with required notification under each state’s laws;
  • Ensuring any contract that is entered into with a service provider includes a provision that requires ongoing cybersecurity compliance and enhancement.

These factors will be familiar to businesses that have implemented a strong vendor management program that accounts for cybersecurity issues. Many of these factors will be part of a vendor search. Some of these tips will be important within the contract review stage of hiring a new vendor. At all times, the plan sponsor should take action necessary to secure and protect the data of its plan participants.

Cybersecurity Program Best Practices

The guidance provided by the EBSA includes a “best practices” document that outlines helpful tips for ensuring that record-keepers and other service providers are making prudent decisions.  For example, the EBSA suggests that a formal, well documented cybersecurity program should be adopted by plan sponsors. Cybersecurity programs and policies are intended to protect the infrastructure and information within a benefit plan.

Additional steps that are recommended by the EBSA include conducting annual risk assessments, hiring a reliable third party auditing firm to review systems, clearly defining roles for individuals involved with the plans, and cybersecurity awareness training, among others.

Participant-Focused Guidance

The EBSA also provides guidance specific to plan participants who are accessing information online. The guidance provides general tips for reducing and avoiding the risk of fraud or loss for an individual’s retirement account. Some of the tips provided include using multi-factor authentication, routinely monitoring the online account, avoiding access to the account when using free Wi-Fi, and closing accounts that are no longer used.

Plan sponsors and fiduciaries should be aware of the latest guidance regarding online security tips and should be promoting the recommendations to their participants and employees.

Next Steps

We recommend that plan sponsors and fiduciaries:

  • establish strong procedures, protocols, policies, and other safeguards to protect participants’ data and their retirement accounts,
  • develop a process for prudent selection and monitoring of their plan service providers to ensure that they also maintain and follow strong cybersecurity and breach response procedures, and
  • establish and practice an incident response plan, before a cybersecurity incident occurs, and follow the plan if an incident occurs, including contacting your Foster Swift attorney.

Many plan sponsors and fiduciaries, as well as plan service providers, have already developed these policies and procedures, and drafted contracts to reflect them. These policies, procedures, and agreements, should be reviewed and updated, or established if not yet in place, to reflect the EBSA guidance. Please contact us for assistance in doing so.


Categories: Cybersecurity, Department of Labor, Employee Benefits

Photo of Taylor A. Gast

Taylor helps businesses and business owners solve and prevent problems as a member of Foster Swift's Business and Tax practice group. He handles business formation and transactions, tax controversies, employee benefits, and technology related issues.

View All Posts by Author ›

Type the following characters: papa, niner, papa, papa, whisky

* Indicates a required field.