U.S. Department of Labor Cybersecurity Guidance for Employee Benefit Plans

As cyber criminals continue to target employers and benefit plan service providers, the importance of maintaining a fulsome cyber security program is more critical than ever for organizations across industry verticals.   

The U.S. Department of Labor (DOL) has made it clear that employee benefit plan sponsors have a fiduciary responsibility to address critical cyber risks. In 2021, the DOL’s Employee Benefits Security Administration (ESBA) division announced landmark guidance for plan sponsors, plan fiduciaries, record keepers and service providers on best practices for cybersecurity. The primary objective of this guidance is to address the threats of cyber attacks, crime and fraud perpetrated against these benefit programs. 

At the time the EBSA published this guidance, it estimated there were 34 million defined benefit plan participants in private pension plans and 106 million defined contribution plan participants covering estimated assets of $9.3 trillion. 

The significance of this cybersecurity guidance from the DOL cannot be overstated, as it was the first time the EBSA issued guidance for cybersecurity. This guidance is intended for plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act.

Cybersecurity Program Best Practices
The cornerstone of the DOL cybersecurity guidance is the Cybersecurity Program Best Practices, which is intended to aid plan fiduciaries and record-keepers in carrying out their responsibilities to manage cybersecurity risks. 

Key elements from the cybersecurity guidance for employers, fiduciaries and service providers to consider include the following:

1. Have a formal, well-documented cybersecurity program.
2. Conduct prudent annual risk assessments.
3. Evaluate, assess and monitor third party service providers.
4. Have a reliable annual third-party audit of security controls.
5. Conduct periodic cybersecurity awareness training.
6. Implement strong technical controls in accordance with best security practices.
7. Appropriately respond to any cybersecurity incidents.

How Alliant Cyber consulting can help
Alliant Cyber consulting is uniquely positioned to assist our clients with various aspects of the DOL’s cybersecurity guidance, specifically by offering the following services that are directly aligned to the guidance:

• Benefits Service Provider Cyber Risk Assessment
  • Identify, assess and prioritize key cyber risks within and across the key vendors and service providers that the organization uses for ERISA record keeping, data processing and other services.
    
    
  • Conduct services for one vendor or across a selection of key vendors.
    
    
  • Address, manage and remediate potential weaknesses across the population of key vendors, which is critical to its fiduciary responsibilities.
    
    
• Plan Sponsor Cyber Mapping and Risk Diagnostic
  • Drive holistic visibility and awareness of critical cyber risks across the organization related to ERISA record keeping, data processing and service providers.
    
    
  • Identify blind spots in the organization’s ERISA governance program, including how it manages cyber risk and compliance matters on behalf of plan participants.
    
    
  • Enable better management of key fiduciary responsibilities across the organization, including internal processes and resources, in addition to external parties.