U.S. Department of Labor Announces Cybersecurity Guidance

June 29, 2021

By Kevin Nardone

In April of 2021, the Employee Benefits Security Administration (“EBSA”), a division of the U.S. Department of Labor (“DOL”), announced long-awaited cybersecurity guidance for plan sponsors, plan fiduciaries, record keepers and plan participants. With an estimated $9.3 trillion in assets held in retirement accounts, combined with the personal identifiable information retained by plan sponsors and record keepers, shedding light on the importance of protecting this information has become a hot topic in recent years as cybersecurity incidents have become more pervasive in daily headlines.

In conjunction with this announcement, the DOL has been actively pursuing cybersecurity reviews of plan sponsors inquiring on risk assessment practices, cybersecurity incidents or breaches, and planned responses to cybersecurity incidents. EBSA issued a “Cybersecurity Program Best Practices” that will assist plan sponsors and plan fiduciaries in understanding what they should be looking for when hiring service providers. 

EBSA suggests plan service providers:

  • Create a formal, well-documented cybersecurity program.
  • Conduct prudent annual risk assessments and maintain formal documentation of such assessments.
  • Have a reliable annual third-party audit of security controls.
  • Clearly define and assign information security roles and responsibilities.
  • Have strong access control procedures.
  • Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  • Conduct periodic cybersecurity awareness training.
  • Implement and manage a secure system development life-cycle program.
  • Have an effective business resiliency program addressing business continuity, disaster recovery and incident response.
  • Encrypt sensitive data.
  • Implement strong technical controls in accordance with best security practices.
  • Respond to any past cybersecurity incidents.

For more information on these steps, refer to EBSA’s “Cybersecurity Program Best Practices.”

Plan sponsors, fiduciaries and record keepers should begin the necessary steps in assembling policies and procedures related to those topics identified above as part of their fiduciary duty to protect plan assets. 

In March of 2021, EisnerAmper held a webcast titled “Benefit Plan Cybersecurity & Risks Surrounding Remote Employees.” It encouraged attendees to recognize common threats and identify risks related to cybersecurity surrounding employee benefit plans. The webinar further covered the fiduciary responsibilities plan sponsors have in the administration of their benefit plans to protect plan assets and related participant information. A link to this webcast is included below.

EisnerAmper Webcast

You can also access the DOL’s guidance on “Tips for Hiring a Service Provider with Strong Cybersecurity Practices” and “Online Security Tips” below.

Tips For Hiring a Service Provider With Strong Cybersecurity Practices (dol.gov)

Online Security Tips (dol.gov)

About Kevin Nardone

Kevin Nardone is a Director in the Private Business Services Group.