Toll Free 833-ACM-401k Talk to a 401(k) expert

DOL issues new cybersecurity guidance for retirement plan sponsors

DOL Retirement Plan Cybersecurity Guidance
DOL - EBSA Retirement Plan Cybersecurity Guidance

Cybersecurity has been a critical topic for business of all sizes.  Now cybersecurity is a requirement for retirement plans to ensure the safety of their data.

On April 14, 2021, the Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) agency issued its very first cybersecurity guidance for ERISA-regulated retirement plans. The guidance is directed at retirement plan sponsors, plan fiduciaries, record keepers, and plan participants.

EBSA’s cybersecurity guidance states explicitly, “responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks”. The guidance comes in the form of three documents. Each document outlines what steps plan sponsors, plan fiduciaries, record keepers and plan participants should take to safeguard personal data and retirement assets against cyber threats. Below is a summary of the guidance with links to the original documents.


  • Tips for Hiring a Service Provider: Provides a due diligence framework for plan sponsors and fiduciaries to evaluate and select service providers with strong cybersecurity practices and monitor their activities, as required by ERISA, including the following:
  • Ask for the service provider’s information security standards, practices and policies, and audit results, and compare them to industry standards.
  • Request information from the service provider on how it validates its practices, and what levels of security standards it has met and implemented.
  • Evaluate the service provider’s track record in the industry, including public information regarding information security incidents.
  • Ask whether the service provider has experienced past security breaches and how the service provider responded.
  • Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
  • Make sure that the contract requires ongoing compliance with cybersecurity and information security standards. Beware contract provisions that limit the service provider’s responsibility for IT security breaches.


  • Cybersecurity Program Best Practices: A roadmap for plan fiduciaries, record-keepers, and other service providers to identify and manage cybersecurity risks. The guidance requires includes formal and effective policies and procedures governing the following eighteen areas:
  • Data governance and classification.
  • Access controls and identity management.
  • Business continuity and disaster recovery.
  • Configuration management.
  • Asset management.
  • Risk assessment.
  • Data disposal.
  • Incident response.
  • Systems operations.
  • Vulnerability and patch management.
  • System, application and network security and monitoring.
  • Systems and application development and performance.
  • Physical security and environmental controls.
  • Data privacy.
  • Vendor and third-party service provider management.
  • Consistent use of multi-factor authentication.
  • Cybersecurity awareness training, which is given to all personnel annually.
  • Encryption to protect all sensitive information transmitted and at rest.


  • Online Security Tips: Advice for plan participants and beneficiaries on good cyber hygiene and steps to reduce the risk of fraud and loss through online account compromise. This is designed to be distributed to plan participants.


EBSA guidelines state that retirement plan cybersecurity should be a top priority for the ERISA plan sponsors and fiduciaries. Plan fiduciaries should review the guidance and use it to assess service provider cybersecurity as well as their own. Many companies will find that the EBSA guidance may overlap or complement general cybersecurity best practices that they already have in place. Following the recommendations and documenting compliance may also help protect plan fiduciaries against any future legal claims in the event of an internal or service provider data breach. If you have any questions about the guidance and how it may impact your plan, please contact us.