The DOL's Employee Benefits Security Administration ("EBSA") provided new guidance for plan sponsors, fiduciaries, participants and record-keepers concerning best practices for managing cybersecurity. This is the first time the EBSA has provided cybersecurity guidance. (See also GAO retirement plan guidance issued in February 2021: "Defined Contribution Plans: Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans").

The DOL asserted that plan participants and plan assets "may be at risk from both internal and external cybersecurity threats," and that "ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks."

The EBSA issued the following three forms of guidance:

  • Tips for Hiring a Service Provider with Strong Cybersecurity Practices, which sets forth considerations for plan sponsors and fiduciaries to help them prudently select and monitor plan service providers with strong cybersecurity practices;
  • Cybersecurity Program Best Practices, which provides guidance for record-keepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries making prudential decisions regarding the service providers they hire; and
  • Online Security Tips, which provides tips for plan participants and beneficiaries who access their retirement accounts online to decrease the risk of fraud and loss to their retirement accounts.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.