Cybersecurity Guidance

Kimberly A. Reed
Principal, CPA

14 June 2021

The U.S. Department of Labor recently announced new guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity, including tips on how to protect the retirement benefits of America’s workers. This is the first time the department’s Employee Benefits Security Administration (the “EBSA”) has issued cybersecurity guidance.

As of 2018, EBSA estimates that there are 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion. Without sufficient protections, these participants and assets may be at risk from both internal and external cybersecurity threats. ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.

The guidance comes in three forms:
Tips for Hiring a Service Provider – this provides guidance for plan sponsors to assist them in meeting their responsibilities under ERISA to ensure that they prudently select and monitor service providers.

Cybersecurity Program Best Practices – this includes best practices for recordkeepers and plan fiduciaries to ensure proper mitigation of cybersecurity risk.

Online Security Tips – this provides guidance to plan participants on ways that they can reduce the risk of fraud and loss to their retirement accounts.

“The cybersecurity guidance we issued today is an important step towards helping plan sponsors, fiduciaries and participants to safeguard retirement benefits and personal information,” said Acting Assistant Secretary for Employee Benefits Security Ali Khawar. “This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats.”

As the plan sponsor, you could be liable if you do not have a process to safeguard plan assets and participant data. Cyberattacks and litigation are on the rise; it is important that you fulfill your ERISA duties owed to plan participants and ensure their account balances as well as their personal data are not at risk of cyberattack.

Want new articles before they get published?
Subscribe to our Employee Benefits Newsletter.

4 + 6 =