New DOL Cybersecurity Guidelines for Employee Benefits Plan Sponsors

December 7, 2021

Cyber threats are pervasive and the stakes keep getting higher. There are more breaches than ever and their costs and impacts have increased. A 2021 IBM and Ponemon Institute report stated that the average cost of a data breach among businesses surveyed has reached $4.24 million per incident in 2021, which is the highest in 17 years. New factors are influencing the impact of cybersecurity. For instance, the widespread use of remote working has intensified the effect of cyber breaches, which, on average, cost over $1 million more when remote working was involved. On the flip side, the increased application of advanced technology like Artificial Intelligence, security analytics and encryption are helping to mitigate the impact of cyber breaches.

A white cursor hand on a button for Security

For sponsors of employee benefit plans, which have a fiduciary responsibility to serve the best interests of their plan members, there are measures that should be taken to help protect against cyber threats. In fact, for the first time, the U.S. Department of Labor (DOL) announced new guidance for plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act (ERISA), as well as record keepers and participants. The guidance is broken down into three categories:

  • Tips for Hiring a Service Provider
  • Cybersecurity Best Practices
  • Online Security Tips

It is important for plan sponsors and fiduciaries to become familiar with and follow the DOL’s guidance.

Tips for Hiring a Service Provider

The DOL recommends plan sponsors and fiduciaries make sure their plan administrators, record keepers and other service providers with access to plan records and participants’ confidential data are following prudent cybersecurity practices and policies. To make this determination, it is important to ask for their information security standards, policies and practices, as well as their cyber audit results, which verify information security, system data availability, data processing integrity, and data confidentiality. Service providers should also be asked whether or not they have experienced a data breach and if so, what was involved and what was their incident response. It is also important to ascertain each service provider’s cybersecurity insurance coverage.

Cybersecurity Best Practices

In its cybersecurity guidance to plan sponsors and fiduciaries, the DOL recommends having a formal, documented cybersecurity program, which identifies and assesses internal and external cybersecurity risks, which may threaten the confidentiality, integrity and/or access to stored nonpublic information. Best practices would encompass identifying potential risks; protecting all assets, data and systems; detecting and responding to cybersecurity events; recovering from the events; prompt disclosure of events, when appropriate; and returning to normal operations. Strong policies reflecting such components as data governance, access controls, systems operations, vulnerability and patch management, identity management, asset management, proper data disposal, data privacy, third party service provider and vendor management, and cybersecurity awareness training, among others, are essential. Also noted is the need for an annual risk assessment, third party audit of security, clearly defined and assigned information security roles and responsibilities, strong access control procedures, security reviews and independent security assessments of assets or data stored in a cloud or managed by a third party, and a business resiliency program encompassing business continuity, disaster recovery and incident response plans.

Online Security Tips

The DOL’s guidance to employee benefit plan sponsors and fiduciaries also included tips for online security. Among those noted were:

  • Register, set up and routinely monitor online accounts
  • Use strong and unique passwords
  • Use multi-factor authentication
  • Keep personal contact information current
  • Close or delete unused accounts
  • Be wary of free Wi-Fi
  • Beware of phishing attacks 
  • Use antivirus software and keep apps and software current
  • Know how to report identity theft and cybersecurity incidents

For complete information on the DOL’s cybersecurity guidance to plan sponsors and fiduciaries, visit: