Skip to Content
View of an empty office space.
Article

New DOL guidance for cybersecurity risks associated with employee benefit plans

February 28, 2023 / 3 min read

The U.S. Department of Labor issued new guidance for addressing cybersecurity risks associated with benefit plans. Here’s our breakdown of the 12 best practices that plan sponsors and service providers should follow.

Historically, the U.S. Department of Labor (DOL) has been relatively quiet with respect to fiduciaries’ responsibilities to protect ERISA-covered benefit plan data. There was little guidance on responsibilities for protecting computers against outside attackers and analyzing data security practices of third-party service providers. However, this changed in April 2021 when the DOL issued new guidance for addressing cybersecurity risks associated with benefit plans.

Why the change?

In addition to millions of dollars in assets, ERISA-covered plans contain pertinent personal data on participants. While assets taken from a pension plan can be quantified, the value of stolen data is effectively unknown.

Without coverage options for theft of participant data (such as that for plan assets), adopting strong cybersecurity practices and oversight of third-party providers helps reduce an organization’s exposure to cybersecurity events.

Best practices from the Employee Benefits Security Administration:

The DOL guidance states that responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. In addition, the agency has provided guidance and best practices for recordkeepers, other service providers responsible for plan-related IT systems and data, and plan fiduciaries making prudent decisions about service providers they hire.

Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.

The Employee Benefits Security Administration (EBSA) has outlined 12 best practices for service providers to reduce cybersecurity risks associated with employee benefit plans. While some of these practices should be shared by fiduciaries and service providers, others are specific to service providers.

Shared responsibilities:

Service provider responsibilities:

Both fiduciaries over plan assets and benefit plan service providers play a critical function in reviewing cybersecurity roles and ensuring participant data is secure.

It’s important to note that both fiduciaries over plan assets and benefit plan service providers play a critical function in reviewing cybersecurity roles and ensuring participant data is secure. To learn more about addressing cybersecurity risks associated with benefit plans, contact a member of our cybersecurity team.

Related Thinking

Business professionals in a conference room discussing FFIEC CAT sunset
December 16, 2024

FFIEC CAT sunset: Considerations for choosing a new cybersecurity framework

Article 6 min read
Business professional checking the multifactor authentication code on their cell phone.
November 1, 2024

Preparing for the inevitable: Navigating third-party tech failures

Article 7 min read
Parent sitting on the floor with their child and learning about how school districts can proactively manage cyber risk to protect student data.
October 30, 2024

Cybersecurity essentials for K-12 schools: Protecting students and data

Article 6 min read