Employee Benefits Security Administration Cybersecurity Guidance

As we approach ERISA season, it is more important now than ever to remember that even our retirement benefits are at risk for cybersecurity attacks. 

For the first time in history, the Employee Benefits Security Administration (EBSA) has issued cybersecurity guidance for ERISA-covered retirement programs, which outlines best practices for record-keepers, plan sponsors and fiduciaries, participants and beneficiaries.  The guidance came in three forms: (i) cybersecurity program best practices for record-keepers and other service providers, (ii) tips for plan sponsors on selecting a service provider, and (iii) general online security tips. 

While ERISA has always required plan fiduciaries to take appropriate precautions to mitigate internal and external cybersecurity threats, such precautions were undefined and ambiguous prior to this guidance. Now that this guidance has been released, it is important for plan sponsors and fiduciaries to incorporate it into existing plan oversight processes. Any action taken should be documented in plan-related records in order to demonstrate conformity with the guidance, e.g., service provider due diligence, enhancements to internal controls, etc.  

See below for some tips that the guidance suggests plan sponsors, fiduciaries and participants take in order to stay ahead of cybersecurity crime:

1. Hire a service provider with strong cybersecurity practices and monitor their activities

  1. Understand their security standards
  2. Ask the service provider if they have had previous security breaches and how they responded to the situation
  3. Make sure the contract requires ongoing compliance that includes cybersecurity and information security standards
  4. For a comprehensive list, please visit the following link: Tips For Hiring a Service Provider With Strong Cybersecurity Practices (dol.gov)

2. Stay at the forefront of cybersecurity risks by following these best practices

  1. Develop a well-documented, formal cybersecurity program
  2. Have an independent auditor assess your organization’s cybersecurity controls to identify existing risks, vulnerabilities and weaknesses
  3. Clearly define and assign information security roles and responsibilities
  4. For the full list of best practices, please visit the following link: Cybersecurity Program Best Practices (dol.gov)

3. For plan participants who access their retirement accounts online, here are some basic tips to mitigate the risk of fraud and loss

  1. Routinely monitor your account for unusual activity
  2. Keep personal contact information current with your employer and retirement service providers
  3. Use multi-factor authentication
  4. Be aware of phishing attacks and try to stay clear of “free Wi-Fi”
  5. For additional tips, please visit the following link: Online Security Tips (dol.gov)


If you have any questions related to the information above or cybersecurity in general, please contact our office to speak to an expert in our Retirement Solutions Group or Risk Advisory Group.  


You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Six-Figure Ransomware Attack Hits Washington County, PA
SOC 2 - What is ACTUALLY required?
Romance Scams: Guarding Your Heart and Wallet
Update on GLBA for Higher Ed
A First of Its Kind: The $25 Million Deepfake Scam
Fortifying Retail Security: Essential Cybersecurity Tools and Software
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.