Cybersecurity Guidance for Retirement Plan Sponsors: Tips that Could Become Minimum Requirements

In April 2021, the U.S. Department of Labor (DOL) issued its first-ever guidance to retirement plan sponsors, service providers and plan participants on cybercrime. Issued as “guidance” and not regulations, the tips suggested are a likely precursor to what may become minimum cybersecurity standards by law.

The U.S. Government Accountability Office (GAO) recently urged the Department of Labor to issue guidance identifying minimum expectations for mitigating cybersecurity risks. The GOA rightly recognized that while the pace of change in technology in our increasingly digital world has provided innumerable improvements to our personal and professional lives, those improvements are accompanied by a variety of cybersecurity risks. Retirement plan participant data and assets are a significant target of cybersecurity threats, and plan sponsors, recordkeepers, and service providers have a responsibility to protect accounts and personally identifiable information (PII).

In April 2021, the DOL’s Employee Benefits Security Administration (EBSA) responded to the GAO’s request with guidance for plan sponsors, recordkeepers and participants to counter cybersecurity threats and protect assets and PII. In doing so, the message was made clear: a process for managing cybersecurity is an ERISA function. The good news is that the guidance is extensive and as with other duties, creating and maintaining a documented process is key.

DOL Cybersecurity Guidance

The DOL’s cybersecurity guidance package is presented in three separate documents, primarily intended for three audiences:

  1. For Plan Sponsors and Fiduciaries: Tips for Hiring a Service Provider with Strong Cybersecurity Practices
  2. For Plan Fiduciaries and Service Providers: Cybersecurity Program Best Practices
  3. For Plan Participants: Online Security Tips.

The guidance is presented as “tips” and “best practices.” However, the guidance itself, is sub-regulatory and does not constitute a final regulation from the DOL. This guidance, of course, does not have the full force of law or regulation. However, failing to acknowledge and implement essentials of this guidance could create a potential liability for plan sponsors or fiduciaries in the event of plan data or other cybersecurity breaches.

Implementing the Guidance

The first step in meeting your duty regarding cybersecurity is to familiarize yourself and your committee with this guidance. Below is a brief summary of the key components of the first document (intended for plan sponsors and fiduciaries in selecting service providers) to help protect your plan and its participants against a cybersecurity breach.

Ask about and evaluate the service provider’s:

  1. DOCUMENTED PROCESS: Security standards, practices and policies, and audit results
    • Are these recognized standards? How do they compare these to industry standards?
    • Does the service provider use an outside (third-party) auditor to review and validate cybersecurity? 
  2. VALIDATION: Evidence of its practices, and the security standards it has met and implemented
    • Does your contract give you the right to review audit results demonstrating compliance with the standard?
  3. REPUTATION: Performance in the industry
    • What public information exists on security incidents, litigation, and legal proceedings related to vendor’s services?
  4. TRACK RECORD: History of security breaches
    • What happened, and how did the service provider respond?
  5. INSURANCE POLICES:
    • Are there insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including internal breaches caused by misconduct by the service provider’s own employees or contractors, and external threats, such as a third party hijacking a plan participants’ account).
  6. ONGOING COMPLIANCE and PROTECTIVE CONTRACT ENHANCEMENTS, such as provisions on:
    • Information Security Reporting. Requirement of an annual third-party audit to determine compliance with information security policies and procedures.
    • Use and Sharing of Information and Confidentiality.
    • Notification of Cybersecurity Breaches. The contract should identify how quickly you would be notified of any cyber incident or data breach.
    • Compliance with Records Retention and Destruction, Privacy and Information Security Laws.
    • Insurance. Requirement of insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and/or fidelity bond/blanket crime coverage.

A Prudent Process Highland Already Observes

Highland already requires recordkeepers to provide evidence of the protective processes employed to thwart cybercrime, not because it’s law, but because it’s the right expectation of a fiduciary. Highland will help you understand other components of a sound cybersecurity process for your plan. One action you can implement now is to distribute the Online Security Tips to your plan participants. There are other actions that you may want to consider to prevent retirement plan cybercrime, and as your Investor Advocates®, we are ready to guide you through them in a thorough process.



Highland Consulting Associates, Inc. was founded in 1993 by a small group of associates convinced that companies and individuals could be better served with integrity, impartiality, and stewardship. Today, Highland is 100% owned by a team of owner-associates galvanized around this promise: As your Investor Advocates®, we are Client First. Every Opportunity. Every Interaction.

Highland Consulting Associates, Inc. is a registered investment adviser. Information presented is for educational purposes only and does not intend to make an offer of solicitation for the sale or purchase of specific securities, investments, or investment strategies. Investments involve risk and unless otherwise stated, are not guaranteed. Be sure to first consult with a qualified financial adviser and/or tax professional before implementing any strategy discussed herein. Past performance is not indicative of future performance.

Rich Swanner, CPFA, QKA