Skip to Content
View of an empty office space.
Article

New DOL guidance for cybersecurity risks associated with employee benefit plans

February 28, 2023 / 3 min read

The U.S. Department of Labor issued new guidance for addressing cybersecurity risks associated with benefit plans. Here’s our breakdown of the 12 best practices that plan sponsors and service providers should follow.

Historically, the U.S. Department of Labor (DOL) has been relatively quiet with respect to fiduciaries’ responsibilities to protect ERISA-covered benefit plan data. There was little guidance on responsibilities for protecting computers against outside attackers and analyzing data security practices of third-party service providers. However, this changed in April 2021 when the DOL issued new guidance for addressing cybersecurity risks associated with benefit plans.

Why the change?

In addition to millions of dollars in assets, ERISA-covered plans contain pertinent personal data on participants. While assets taken from a pension plan can be quantified, the value of stolen data is effectively unknown.

Without coverage options for theft of participant data (such as that for plan assets), adopting strong cybersecurity practices and oversight of third-party providers helps reduce an organization’s exposure to cybersecurity events.

Best practices from the Employee Benefits Security Administration:

The DOL guidance states that responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. In addition, the agency has provided guidance and best practices for recordkeepers, other service providers responsible for plan-related IT systems and data, and plan fiduciaries making prudent decisions about service providers they hire.

Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.

The Employee Benefits Security Administration (EBSA) has outlined 12 best practices for service providers to reduce cybersecurity risks associated with employee benefit plans. While some of these practices should be shared by fiduciaries and service providers, others are specific to service providers.

Shared responsibilities:

Service provider responsibilities:

Both fiduciaries over plan assets and benefit plan service providers play a critical function in reviewing cybersecurity roles and ensuring participant data is secure.

It’s important to note that both fiduciaries over plan assets and benefit plan service providers play a critical function in reviewing cybersecurity roles and ensuring participant data is secure. To learn more about addressing cybersecurity risks associated with benefit plans, contact a member of our cybersecurity team.

Related Thinking

Medical professional looking at scans on a computer.
March 21, 2025

Proceed with confidence: Fundamental strategies to secure medical devices from cyberthreats

Article 4 min read
Group of nonprofit professionals in a meeting.
Feb. 26-Mar. 19, 2025

2025 Nonprofit Summit

Webinar 4 hour watch
Medical device professionals at work.
March 13, 2025

Navigating cybersecurity challenges for medical device suppliers

Article 4 min read