On April 14, 2021, the U.S. Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) issued its first-ever cybersecurity guidance for employee retirement plans. This new guidance is aimed towards plan sponsors and plan fiduciaries regulated by the Employee Retirement Income Security Act (ERISA), as well as recordkeepers, plan participants, and beneficiaries.

EBSA provides an estimation from 2018, stating “that there are 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion.” These participants and assets are vulnerable to both internal and external cybersecurity risks if they are not adequately protected. ERISA requires that plan fiduciaries take reasonable steps to minimize these risks.

There are three types of guidance provided by EBSA:

  1. Tips for Hiring a Service Provider
  2. Cybersecurity Program Best Practices
  3. Online Security Tips

Below are some key takeaways from the guidance issued by the DOL’s EBSA.

1. Selecting a service provider with strong cybersecurity practices.

One of the most important aspects of a plan fiduciary's role is to act prudently and diversify the plan's assets to reduce the risk of significant losses. In its guidance, EBSA prepared the following tips for plan sponsors of all sizes to assist business owners and plan fiduciaries in meeting their ERISA obligations to prudently select and monitor such service providers:

  1. Ask the service provider about their security standards, procedures, and policies. Compare the results to other financial institutions’ industry standards.
    1. EBSA advises plan sponsors to seek out service providers that adhere to a recognized information security standard and have a third-party auditor check and verify cybersecurity. If the service provider's security systems and procedures are backed by regular audit reports that validate information security, system/data availability, processing integrity, and data confidentiality, you can presume your retirement plans are less vulnerable to internal and external cybersecurity risks.
  2. Investigate how the service provider validates its procedures and what security requirements are met and enforced. EBSA recommends looking “for contract provisions that give you the right to review audit results demonstrating compliance with the standard.”
  3. Examine the vendor's track record in the industry, including public records about data protection incidents, other lawsuits, and legal proceedings involving the vendor's services.
  4. Ask the service provider about previous security breaches, what happened, and how the service provider handled the situation.
  5. Ask the service provider about any insurance plans that would cover losses caused by data breaches and identity theft “(including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account).”
  6. When signing a contract with a service provider, ensure that the contract includes continuous compliance with cybersecurity and information protection requirements.  Be wary of contract provisions that restrict “the service provider's responsibility for IT security breaches.”

For additional guidance on selecting a service provider, visit the DOL’s article titled “Tips for Hiring a Service Provider With Strong Cybersecurity Practices.”

2. Implementing a cybersecurity program.

Because “ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants," they can be enticing targets for cybercriminals. EBSA's guidance outlines several best practices for plan recordkeepers and service providers who oversee plan-related IT systems and records, as well as plan fiduciaries who are responsible for assessing and selecting plan service providers. The following are EBSA's best practices:

  1. Have a formalized and well-documented cybersecurity program in place.
  2. Conduct thorough risk assessments on a yearly basis.
  3. Have a trusted third-party audit of security controls performed every year.
  4. Establish and delegate positions and responsibilities for information security.
  5. Have strict access management policies in place.
  6. For assets or data stored in a cloud or managed by a third-party service provider, ensure these items undergo adequate security checks and independent security assessments.
  7. Regularly conduct cybersecurity awareness training.
  8. Implement and maintain a program to “manage a secure system development life cycle (SDLC).”
  9. Have a strong business resiliency plan in place that covers “business continuity, disaster recovery, and incident response.”
  10. Encrypt confidential data when it is in storage and in transit.
  11. In compliance with best security practices, implement strict technical controls.
  12. React appropriately to any previous cybersecurity incidents.

For additional information, EBSA expands on each of these best practices to offer more guidance to recordkeepers, service providers, and plan fiduciaries as they implement their own policies and procedures in its article titled “Cybersecurity Program Best Practices.”

3. Being aware of basic online security rules.

By adhering to the following basic rules provided by EBSA, you will reduce the risk of fraud and loss to your retirement account:

  1. Register, set up, and manage your online account on a regular basis.
  2. Make sure your passwords are strong and unique.
  3. “Use multi-factor authentication.”
  4. Keep personal contact details up to date.
  5. Close or delete accounts that are no longer in use.
  6. Approach free Wi-Fi networks with caution.
  7. Be wary of phishing scams.
  8. Use antivirus software and keep all applications and software up to date.
  9. Understand how to report cases of identity fraud and cybersecurity.

EBSA expands on each of these tips in its article titled, “Online Security Tips.”

Plan fiduciaries must continue taking reasonable steps to minimize these risks. This new guidance should help the responsible parties in protecting retirement benefit plan participants and assets vulnerable to both internal and external cybersecurity risks.

How PrimePay can help.

With PrimePay, your business is safe from fraud.

PrimePay is an SSAE 18 Type II compliant payroll company. This means that we have undergone a rigorous auditing process to provide the peace of mind that our company is secure.

With our Premier ERISA Compliance Services, you'll benefit from our industry-leading guarantee and legal compliance review of plan documents. Our ERISA Services portal greatly enhances the enrollment and renewal processes and further improves accessibility and accuracy.

Fill out the form below to learn more.


Disclaimer: Please note that this is not all-inclusive. Our guidance is designed only to give general information on the issues actually covered. It is not intended to be a comprehensive summary of all laws which may be applicable to your situation, treat exhaustively the subjects covered, provide legal advice, or render a legal opinion. Consult your own legal advisor regarding the specific application of the information to your own plan.