EBSA’s Cybersecurity Steering for Retirement Plans


The EBSA Cybersecurity Guidelines provide a roadmap for ERISA trustees to protect against cybersecurity risks for retirement plans

Service provider contracts should be reviewed to include cybersecurity provisions that are in line with EBSA guidelines

Plan Trustees should share the EBSA’s guidelines with participants so they can take steps to protect the security of their retirement accounts

On April 14, 2021, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued cybersecurity guidelines for ERISA retirement plans in response to a request from the Government Accountability Office to make suggestions on how pension plan officers should protect themselves against cybersecurity risks that threaten the plan assets and plan participant data.

The EBSA guidelines increase cybersecurity for those who manage retirement plans to priority status and are divided into three parts: 1) plan sponsors and trustees, 2) note takers and other service providers, and 3) plan participants.

Schedule sponsors and trustees

In order to meet their obligations to the ERISA pension plans they oversee, trustees and plan sponsors must take the necessary due diligence to identify and protect themselves against cybersecurity risks. Data theft and other cyberattacks are increasingly becoming a reality and likely fertile ground for the plaintiffs’ bar. The EBSA’s recommendations are in line with cybersecurity policies and procedures typically followed by many organizations. The guidelines provide a roadmap for trustees of the ERISA plan to mitigate both cybersecurity threats and the risk of fiduciary breach for failure to maintain participant privacy and account security.

One of the most important guidelines for planning sponsors and trustees is hiring service providers with strong cybersecurity systems and carefully selecting and monitoring such service providers. Best practices include:

  • Conduct a background check of the service provider against generally available public information, including press reports and litigation records
  • Ask the potential service provider whether and to what extent they have identified cybersecurity violations, how they have reacted to them, and what measures have been taken since then to mitigate such violations
  • Assess the service provider’s cybersecurity systems and standards, practices, and policies
  • Review the results of previous external independent audits and responses to previous cybersecurity violations, including mitigation measures below
  • Review insurance policies that cover losses, including identity theft, from internal and external cybersecurity violations
  • Make sure that the agreements with service providers include:
    • Ongoing compliance with cybersecurity and information security standards
    • A requirement that an annual review of compliance with cybersecurity and information security standards, policies, and procedures be performed by an external independent auditor
    • There is no limit to the responsibility of the service provider for cybersecurity violations
    • A right to review the test results
    • Confidentiality agreements regarding private information and protection against unauthorized access and disclosure of private information
    • A requirement that the service provider notify the plan sponsor of any cyber incident within a certain period of time after the incident
    • A contract that the service provider is actively investigating or working together to investigate cyber incidents and take appropriate remedial action

Records and other service providers

The guidelines for note takers and other service providers set out general best practices for cybersecurity programs to protect participant data and ensure proper cybersecurity risk mitigation, including:

  • Implement a formal, well-documented cybersecurity program
  • Carrying out annual risk assessments to identify and prioritize information system risks and a plan to manage the identified risks
  • Performing annual external independent audits of the controls of the cybersecurity system, including reports on breach tests and documented corrections of all vulnerabilities identified in the audit
  • Establishing roles and responsibilities for information security
  • Access to control procedures
  • Perform proper security reviews and independent security assessments from cloud service providers or other third party providers
  • Conducting cybersecurity awareness training that is regularly updated for the latest risk assessment
  • Implement and manage a secure lifecycle program for systems development
  • Implemented a business resiliency program to manage business continuity, disaster recovery and incident response
  • Encrypt sensitive data anytime, both stored and on the go
  • Implement strict technical controls in accordance with best security practices
  • Create and implement an appropriate cybersecurity incident response plan

Schedule participants

The EBSA has also provided guidelines for planning participants to reduce the risk of loss to their retirement accounts. It is recommended that plan participants:

  • Establish and routinely monitor online accounts
  • Create strong passwords and change them every 120 days
  • Use multi-factor authentication to verify identity
  • Keep personal contact information up to date so that the Plan Sponsor can contact you immediately in the event of an incident
  • Close or delete unused accounts to reduce online presence
  • Use wireless network protocols with caution
  • Beware of phishing, which has increased significantly during the COVID-19 pandemic
  • Use antivirus software and install updates in a timely manner
  • Report identity theft and other cybersecurity incidents to the plan, but also to the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) if necessary

Action steps for plan trustees

The EBSA guidelines state that cybersecurity should be a top priority for the ERISA Plan Trustees in fulfilling their duties to the plans they oversee and suggest that they:

  • Review the current cybersecurity monitoring process and internal controls in the light of the EBSA’s guidance
    • Update the escrow training to include the EBSA guidelines
    • Implement procedures to document cybersecurity maintenance and compliance
  • Update planning documents as needed and prepare disclosures to communicate cybersecurity safeguards and inform attendees of the steps they should take to protect their identity and account information
  • Review their service providers’ cybersecurity practices and controls
  • Modify the service provider agreements as needed to align with EBSA’s cybersecurity guidelines

Comments are closed.