Employee Benefit Plans: Is Your Cybersecurity Program Up to Par?

Have you put the Department of Labor’s (DOL) cybersecurity guidance into practice yet? If not consistent with the DOL’s guidance, plans, service providers, and fiduciaries should begin taking prudent steps to implement the necessary safeguards to protect a plan’s assets and data.

cybersecurity guidanceIn April 2021, the DOL issued guidance providing tips and best practices to help employee benefit plans, service providers, and fiduciaries better manage cybersecurity risks. Shortly after the release of the guidance, the DOL began reaching out to plan sponsors inquiring about their cybersecurity practices.

Cybersecurity-related issues impact organizations of all shapes and sizes and can be a point of concern for plans, service providers, and fiduciaries as well as plan participants. These plans store vast amounts of vital personal information online—information that could put participants and their assets at risk if a plan’s online systems were breached. Adopting strong cybersecurity practices and oversight of third-party providers helps reduce an organization’s exposure to cybersecurity events.

Best practices for cybersecurity programs

The Employee Benefits Security Administration issued best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they may hire. The guidance outlines the basic rules to implement and ensure that the risk of fraud and loss to retirement accounts is mitigated. Plans’ service providers should:

  1. Have a formal, well documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.
  5. Have strong access control procedures.
  6. Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
  7. Conduct periodic cybersecurity awareness training.
  8. Implement and manage a secure system development life cycle (SDLC) program.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  10. Encrypt sensitive data, stored and in transit.
  11. Implement strong technical controls in accordance with best security practices.
  12. Appropriately respond to any past cybersecurity incidents.


Do you need help navigating the DOL’s cybersecurity guidance and evaluating your current programs? Buchbinder’s team of professionals is fully equipped, experienced, and committed to assisting clients with their cybersecurity needs. Contact us to discuss your specific situation.

Join Our Newsletter

Sign up to receive exclusive newsletters with the latest information affecting you and your organization.

Posted in