On April 14, 2021, the U.S. Department of Labor (DOL) released
three-part guidance on cybersecurity issues for employee benefit
plans, marking its first significant commentary on the issue since
its comprehensive but nonbinding report in late 2016. The DOL’s
guidance arrives amidst an increase in high-profile lawsuits
arising out of retirement plan participants’ claims that plan
sponsors, responsible fiduciaries, and service providers failed to
adequately protect retirement accounts against cybersecurity
threats. Given the increased threat of cybersecurity attacks
in general and the potential vulnerability of approximately $9.3
trillion in benefit plan assets (per DOL estimation), ERISA plan
sponsors, responsible fiduciaries, and participants have eagerly
awaited formal DOL guidance on this issue. This update provides a
detailed examination of the DOL’s three-part cybersecurity
guidance for ERISA plans as well as a summary of practical
implications for plan sponsors and responsible fiduciaries.
DOL Guidance on Cybersecurity
Tips for Plan Sponsors and Responsible
Fiduciaries on Hiring Service Providers With Strong Cybersecurity
Practices. The DOL developed a
list of the following six tips that plan sponsors and responsible
fiduciaries should follow in fulfilling their duties under
ERISA’s requirements to prudently select and monitor ERISA plan
- Requesting the service provider’s security practices and
protocols and comparing these systems to industry standards adopted
by other financial institutions.
- Inquiring as to how the service provider validates its security
controls, including by securing a contractual right to review
security system audit results.
- Evaluating the service provider’s information security
track record, including by reviewing publicly available information
on security incidents and related litigation.
- Confirming any recent security breach issues and related
- Confirming whether the service provider has sufficient
cybersecurity and identity theft insurance coverage to meet the
needs of the plan and its participants.
- Incorporating ongoing cybersecurity compliance requirements
into service agreements as well as other contractual requirements,
such as (a) third-party audit requirements; (b) limitations on use
and disclosure of confidential information; (c) prompt notification
of cybersecurity breaches; (d) record retention policies in
compliance with applicable law; and (e) adequate cybersecurity,
identity theft, and breach insurance coverage (whether as a
stand-alone policy or as a rider to the service provider’s
existing errors and omission liability insurance policies).
Cybersecurity Program Best Practices for
Plan Recordkeepers and Service Providers. The
DOL further provided a detailed description of twelve best
practices that should be followed by plan recordkeepers and other
service providers responsible for plan-related IT systems and data,
as well as for plan fiduciaries in making prudent decisions when
selecting service providers. The DOL’s best practice
cybersecurity recommendations for plan recordkeepers and relevant
service providers include (in brief):
- Having a well-documented cybersecurity program capable of
identifying, assessing, protecting against, recovering from, and
appropriately disclosing both internal and external cybersecurity
threats to the confidentiality, integrity, or availability of
stored nonpublic information. The cybersecurity program should
implement formal policies designed to limit and counteract
cybersecurity threats (e.g., access management, incident response,
and security control policies and procedures).
- Conducting an annual risk assessment designed to identify
information security threats and result in the revision of
cybersecurity controls as needed to respond to existing and
- Engaging an independent third-party auditor to assess the
security controls and document the correction of any weaknesses on
at least an annual basis.
- Identifying a chief information security officer with
sufficient expertise and necessary credentials to establish and
maintain the cybersecurity program.
- Implementing strong access control procedures that limit access
to information systems and sensitive plan and participant data
through authorization procedures and identity authentication
- Engaging in regular security reviews of cloud storage
providers’ and other third-party data storage providers’
information systems, including through the use of third-party
independent security assessments of such systems.
- Conducting annual cybersecurity awareness trainings for all
personnel, with particular emphasis on risks identified in the most
recent risk assessment.
- Implementing a secure system development lifecycle program
designed to evaluate the security of any applications developed and
used in-house through periodic vulnerability and penetration
testing for all customer-facing applications (and data maintained
- Developing a business resiliency program that effectively
addresses business continuity, disaster recovery, and incident
response programming in each circumstance to ensure the
safeguarding and ongoing availability of people, assets, and data
on the occurrence of a cybersecurity event or disaster.
- Encrypting all nonpublic plan and participant information at
all times, including when stored and in transit.
- Implementing strong technical controls for hardware, software,
or firmware components of the information systems (e.g., regular
updates to system components).
- Responding appropriately to cybersecurity incidents or breaches
in order to protect the plan and its participants, including by
notifying law enforcement and any relevant insurers, investigating
the incident, informing affected plans and participants of steps to
take to prevent or reduce injury, and fixing problems that gave
rise to the incident or breach.
Online Security Tips for Retirement Plan
Participants. The DOL also issued guidance
providing tips for participants to reduce the risk of fraud and
loss to their retirement accounts. These tips include many
now-standard methods for protecting personal assets and information
while online, such as routinely monitoring online accounts, using
strong and unique passwords, using multifactor authentication when
available, updating personal contact information, closing unused
accounts, being wary of free Wi-Fi and phishing attacks, using
updated anti-virus software, and knowing how to report identity
theft and cybersecurity incidents.
Practical Implications for ERISA Plan Sponsors and Responsible
The DOL’s guidance on cybersecurity issues for ERISA plans
carry practical implications for plan sponsors and responsible
fiduciaries, including the following highlights:
- Though the DOL describes its guidance as “tips” and
“best practices,” responsible fiduciaries are subject to
ERISA’s prudent selection and monitoring standards with respect
to engaging and retaining recordkeepers and other service
providers. Responsible fiduciaries, therefore, should consider the
DOL’s tips for provider selection in their compliance
- The DOL’s guidance likely indicates an increased focus on
cybersecurity issues in DOL enforcement actions, so responsible
fiduciaries should evaluate the DOL’s tips in preparing for
potential review or investigation. The DOL’s guidance may also
spur litigation and move the needle on the criteria for determining
whether responsible fiduciaries acted prudently.
- Though the DOL’s guidance on cybersecurity insurance
relates to service providers’ coverage, plan sponsors and
responsible fiduciaries should confirm whether existing fiduciary
liability insurance will adequately cover cybersecurity issues. If
not, plan sponsors and responsible fiduciaries should discuss with
insurers the possibility of adding supplemental coverage to address
- Plan sponsors and responsible fiduciaries should consider
addressing both the DOL’s best practices for providers and tips
for provider selection in vendor procurement processes, including
within internal trainings for personnel involved in the vendor
- Plan sponsors and responsible fiduciaries for plans of all
sizes should treat the DOL’s best practices for providers as a
checklist for reviewing their own cybersecurity readiness with
respect to internal plan administration. The lack of security
controls at the plan sponsor level can lead to losses that arguably
cannot be prevented at the provider level. Sponsors and responsible
fiduciaries may need to consider engaging third-party consultants
specializing in cybersecurity issues to promote readiness and the
security of plan participants’ assets and information. Given
the increasing regularity of cybersecurity incidents, plan sponsors
and responsible fiduciaries may need to act promptly to conduct
this review and remedy any issues identified in order to reduce the
risk of losses to ERISA plan participants.
- The DOL’s guidance largely mirrors guidance issued by the
U.S. Department of Health and Human Services with respect to the
security controls under the HIPAA Security Rule and the
requirements thereunder. Plan sponsors and responsible fiduciaries
conducting a review of their cybersecurity controls may be able to
leverage policies, procedures, and controls applicable to group
health plans governed by HIPAA, or, on finding those controls
insufficient, engage in a uniform remediation program to improve
cybersecurity controls for all ERISA plans.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.