Department of Labor’s (DOL) Guidance on Cybersecurity

In April 2021, the DOL released cybersecurity guidance to manage cybersecurity risks associated with workplace plan systems and accounts. This is the first cybersecurity guidance issued from the DOL, and it sets forth the DOL’s expectations for plan fiduciaries, service providers, employers, and participants to better protect workplace savings accounts from fraudsters and cybercriminals seeking to steal money and sensitive financial and personal information.

Specifically, the guidance was issued in three forms:

• Tips for Hiring a Service Provider: Assists plan sponsors and fiduciaries in the evaluation and monitoring of cybersecurity practices of retirement plan service providers by outlining a series of questions and topics, including important elements of contracts with service providers, insurance coverage, data breaches, and access to audit information.
• Cybersecurity Program Best Practices: Outlines key elements of cybersecurity programs that should be followed by plan fiduciaries and service providers, ranging from clearly defined information security roles and access controls to encryption of data stored and in-transit, to business resiliency and continuity programs, including annual associate cybersecurity training.
• Online Security “Tips” for Retirement Investors: Describes how plan participants can reduce the risk of fraud and loss by following basic rules to protect their retirement accounts.