Protecting Plan Assets – Department of Labor Releases Cybersecurity Guidance

Are your assets properly protected? Are your firewalls up to date?  As of 2018, defined benefit and defined contribution plans hold over nine trillion dollars with of assets. However, the level of security safeguarding these assets were deemed subpar by the Department of Labor (DOL). As a result, the DOL drafted broad-reaching guidance to address issues with securing assets.

On April 14, 2021, the DOL’s Employee Benefits Security Administration (ESBA) released cybersecurity guidance for plan sponsors, fiduciaries, and recordkeepers to reduce security breaches. Most retirement plans have a significant amount of assets under their control which require sufficient security measures to protect against breaches. ERISA requires plan fiduciaries to take steps to eliminate or mitigate both internal and external cybersecurity threats and risks. The guidance provided by ESBA is separated into three sections, which include: 1) cybersecurity best practices; 2) tips for plan sponsors on selecting service providers; and 3) general online security tips. Below is a brief explanation of each.

Cybersecurity Best Practices

Service providers handling employee benefits in both the public and private sectors should be vigilant about any potential risk while actively working to eliminate and/or reduce them. The ESBA suggests that plan fiduciaries, service providers, and recordkeepers responsible for Informational Technology (IT) systems should:

  • Have a formal cybersecurity program that is well documented.
  • Implement prudent annual risk assessments and audits.
  • Employ a reliable third-party audit for security programs and controls.
  • Have strong access procedures in place (ex. two-step authentication options for logins).
  • Hold regular cybersecurity updates and training workshops.

Tips for Selecting Service Providers

  • Inquire about their security standards, procedures, policies, processes, and how they are updated and validated.
  • Inquire about audit results regarding security risks/threats and if any, ask them to explain any breaches and resolutions.
  • Ask about security levels currently in use (ex. encryption software).
  • Compare the service provider’s programs and procedures to those being used by other financial institutions.
  • Inquire about insurance coverage regarding cybersecurity and liability.
  • Assure that any contracts allow the Plan to monitor for ongoing compliance and provides proper notification of breaches or other related issues.

General Online Security Tips

  • Register, set up, and routinely monitor online accounts.
  • Use strong and unique passwords.
  • Use multi-factor authentication.
  • Keep personal contact information current.
  • Close or delete unused accounts (ex. after 12 months of inactivity, close the online account).
  • Advise against using free Wi-Fi in places like airports, hotels, and/or coffee shops.
  • Be vigilant of phishing attacks (if you do not recognize the telephone number or email address, do not open it, or follow any links provided).


Overall, the ESBA’s guidance includes some practices that many participants and fiduciaries and everyday people already use. Due to the high dollar amount of assets handled by fiduciaries and service providers and the cyber risks that exist, it is wise to revisit any existing policies, procedures, and insurance contracts to ensure plan assets and participant benefits are sufficiently protected.

Allotta | Farley routinely reviews service provider contracts and encourages all plans and fiduciaries (Plan Administrators, Investment Consultants, and Trustees) to carry proper cyber liability coverage. We recommend you set up a meeting with your Plan Fiduciary to determine if your assets are properly being safeguarded.

For more in-depth explanation, here are links to the DOL guidance on the above reference sections:

Cybersecurity Best Practices

Tips for Hiring Service Providers

General Online Security Tips