On April 14th, 2021, the Department of Labor (DOL) announced cybersecurity guidance for plan sponsors, fiduciaries, recordkeepers, and plan participants. Specifically, the direction includes best practices for maintaining cybersecurity, including tips on protecting worker retirement benefits. Moreover, this is the first time the DOL’s Employee Benefits Security Administration (EBSA) has issued cybersecurity guidance. The EBSA wrote the new guidance for plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act (ERISA). In addition, the guidance affects plan participants and beneficiaries. Recently, the EBSA issued a notice guiding employers on the duration of COVID-19-related benefit plan deadline extensions.

Important Statistics

According to the DOL, the EBSA created the new guidance after reviewing current statistics. For instance, as of 2018, the EBSA estimates 34 million defined benefit plan participants in private pension plans. Additionally, there are 106 million defined contribution plan participants. Both forms of plans cover estimated assets of $9.3 trillion. Without sufficient protection, the DOL claims that these assets may be at risk from internal and external cybersecurity threats. Therefore, the ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.

Overview of the Guidance

The EBSA’s new cybersecurity guidance comes in three forms:

  • Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with solid cybersecurity practices. The document also provides advice on how sponsors and fiduciaries can monitor service provider activities, which the ERISA requires.
  • Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.
  • Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts basic online rules to reduce the risk of fraud and loss.

In conclusion, the guidance complements the EBSA’s regulations on electronic records and disclosures to plan participants and beneficiaries. Those regulations include provisions on ensuring that:

  • electronic recordkeeping systems have reasonable controls;
  • adequate records management practices are in place; and
  • electronic disclosure systems include measures calculated to protect Personally Identifiable Information (PII).