Department of Labor Issues Guidelines for ERISA Fiduciaries on Cybersecurity

Today, more than ever, Americans are online. Online banking, online shopping, healthcare appointments are set online, even checking on your Social Security benefits and retirement accounts is done online. Which means, a lot of personal information is also online.


With the exponential growth of Internet connectivity there have been more and more incidents of cyber-attacks often leading to devastating consequences. Although the Department of Homeland Security has the underlying Cybersecurity and Infrastructure Security Agency (CISA) as a watchdog against cyberattacks, the Employee Benefits Security Administration (EBSA), the agency within the Department of Labor governing ERISA issues, recently published guidelines for ERISA Fiduciaries, Plan Sponsors and Plan Participants to combat these cyber security threats, and effectively defend against these malicious attacks.


On April 14, 2021, the EBSA has provided cybersecurity guidance for the first time ever. The EBSA estimates that there are over 140 million plan participants in the private pension system, including corporate sponsored defined benefit, 401(k), and 403(b) plans with estimated assets of $9.3 trillion. This is why it is imperative to provide sufficient protection for participants and their assets. The EBSA guidance includes tips on what to look for when hiring Service Providers, Cybersecurity Best Practices, and General Online Security Tips.


What to look for when hiring a Service Provider:


  1. Ask about the service provider’s information security standards, practices and policies, and audit results. Look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate cybersecurity.
  2. Ask the service provider how it validates its practices and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
  3. Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services.
  4. Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
  5. Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
  6. When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware contract provisions that limit the service provider’s responsibility for IT security breaches. Also, try to include terms in the contract that would enhance cybersecurity protection for the Plan and its participants.


Use Cybersecurity Best Practices:


  1. Have a formal, well documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third-party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.


  1. Have strong access control procedures.
  2. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  3. Conduct periodic cybersecurity awareness training.
  4. Implement and manage a secure system development life cycle (SDLC) program.
  5. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  6. Encrypt sensitive data, stored and in transit.
  7. Implement strong technical controls in accordance with best security practices.
  8. Appropriately respond to any past cybersecurity incidents.


Follow proper Online Security protocol:


  1. Register, set-up and routinely monitor your online account
  2. Use strong and unique passwords
  3. Use multi-factor authentication
  4. Keep personal contact information current
  5. Close or delete unused accounts
  6. Be wary of free wi-fi
  7. Beware of phishing attacks
  8. Use antivirus software and keep apps and software current
  9. Know how to report identity theft and cybersecurity incidents


The guidance issued by the DOL is an important step in helping Plan Sponsors, Fiduciaries and Plan Service Providers to safeguard retirement benefits and personal information. We anticipate that in time, the DOL will issue additional guidance, perhaps even standards, and requirements to combat cybercrime as this has been on the agenda of US Government Accountability Office (GAO) for some time. As additional information is released, we will continue to keep you updated. EJReynolds has been adamant about security and will continue to update the EJReynolds Cybersecurity Policy as available.


Trust your plan development and your personal data with the retirement plan experts at EJReynolds.


Our commitment to your security is just one more reason to trust your retirement plan administration to EJReynolds. To learn more, please call 954.431.1774. We are here to help.