Cybersecurity Guidance for Plan Sponsors

Are you putting the Department of Labor’s (DOL) cybersecurity guidance into practice? In April, the DOL issued guidance providing tips and best practices to help retirement plan sponsors and fiduciaries better manage cybersecurity risks.

cybersecurity guidanceRecently, the DOL has begun an audit initiative focused on cybersecurity practices of retirement plan sponsors and fiduciaries. In the past few months, the DOL has requested documents pertaining to cybersecurity and information security program policies, procedures, and guidelines that relate to the plan (whether applied by the plan sponsor or by a provider), as well as detailed documentation of specific actions taken by the plan’s fiduciaries and providers, including many that the DOL addressed in its guidance such as:

  • The implementation of access controls and identity management, including any use of multi-factor authentication.
  • The processes for business continuity, disaster recovery, and incident response.
  • Management of vendors and third-party service providers, including notification protocols for cybersecurity events and the use of data for any purpose other than the direct performance of their duties.
  • Cybersecurity awareness training.
  • Encryption to protect all sensitive information transmitted, stored, or in transit.

DOL’s Cybersecurity Guidance

The guidance is divided into three topics:

Cybersecurity Program Best Practices: plan-related IT systems and data with best practices for meeting their responsibilities to manage and mitigate cybersecurity risks.

Tips for Hiring a Service Provider: tips for prudently selecting and monitoring service providers who employ robust cybersecurity practices, including strongly worded recommendations for provisions to include in contracts with service providers.

Online Security Tips: helpful tips for managing cybersecurity risks

Notably, the DOL affirmatively states in its cybersecurity guidance that responsible plan fiduciaries must ensure proper mitigation of cybersecurity risks.

What Should You Do Now?

In light of the DOL’s cybersecurity audit initiative, plan sponsors and fiduciaries should consider the following actions to help prepare for a potential audit:

  • Evaluate internal cybersecurity programs. Review the DOL cybersecurity tips and best practices and analyze how their existing programs stack up. Identify gaps in its cybersecurity programs where the DOL might expect to see cybersecurity protections and documentation in place and act to make appropriate changes to bring the program up to DOL’s standards.
  • Analyze service providers’ cybersecurity programs and contracts. Review existing service provider cybersecurity standards, practices, and policies to ensure they follow the DOL cybersecurity guidance. Consider updating contracts to include the provisions recommended by the DOL for enhancing cybersecurity protection.

Employers and fiduciaries are strongly encouraged to act now to address their cybersecurity practices and those of their service providers, particularly given the DOL’s initiatives, the recent litigation on point, and the real-life threats to participants’ retirement savings.


Do you need help navigating the DOL’s cybersecurity guidance and evaluating your current programs? Buchbinder’s team of professionals is fully equipped, experienced, and committed to assisting clients with their cybersecurity needs. Contact us to discuss your specific situation.

Join Our Newsletter

Sign up to receive exclusive newsletters with the latest information affecting you and your organization.

Posted in