EBSA Guidance on Cybersecurity

Brandt Colville
Man works on secure table device

On April 14, 2021, the U.S. Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) released cybersecurity guidance aimed at protecting workers’ retirement benefits. This guidance was directed at plan sponsors, plan fiduciaries, administrative record-keepers and plan participants. The information below is a brief summary of the overall guidance and the complete guidance can be found here.

Cybersecurity Program Best Practices

Information technology security protocols for the Employee Retirement Income Security Act (ERISA) covered benefit plans and outlined 12 points for cybersecurity risk mitigation, including conducting cybersecurity risk assessments on at least an annual basis, as well as conducting third-party audits of system security controls.

Plan sponsor’s cybersecurity programs should be managed at the executive level, ideally by the Chief Information Security Officer (CISO), and cybersecurity awareness training should be conducted on at least an annual basis. Plan sponsors should utilize a dynamic cybersecurity training protocol that is regularly updated based on risks identified through a plan’s risk self-assessment process.

Plan sponsors and fiduciaries should also utilize a Secure System Development Life Cycle program (SDLC). A properly designed SDLC program ensures that cybersecurity considerations play a central role when new systems are designed.

Tips for Hiring a Service Provider with Strong Cybersecurity Practices

This guidance was aimed at helping plan sponsors and fiduciaries protect their cybersecurity interests when working with a third party and includes six core points that plan sponsors and fiduciaries should follow in order to meet their responsibilities under ERISA.

Plan sponsors should ensure that service providers have protections addressing access control policies, encryption policies and a notification protocol should a cybersecurity threat impact plan participant data. Additionally, these protections should include ongoing compliance with evolving cybersecurity and information security standards.

Online Security Tips

Directed at plan participants, this guidance suggests providing a list of best practices to reduce the risk of fraud and cybersecurity threats to retirement accounts such as using multifactor authentication where possible, changing passwords regularly and avoiding free or public Wi-Fi when possible.

Sources and References

  1. Cybersecurity Program Best Practices” – United States Department of Labor
  2. News Release – US Department of Labor Cybersecurity Guidance
Abbey Street, LLC (“Abbey Street”) is a Registered Investment Advisor (“RIA”) registered with the SEC. Registration as an investment adviser does not imply a certain level of skill or training, and the content of this communication has not been approved or verified by the United States Securities and Exchange Commission or by any state securities authority. Abbey Street renders individualized responses to persons in a particular state only after complying with the state’s regulatory requirements, or pursuant to an applicable state exemption or exclusion. All investments carry risk, and no investment strategy can guarantee a profit or protect from loss of capital. The information contained in this article is intended to provide general information about Abbey Street and its services. It is not intended to offer investment advice. Investment advice will only be given after a client engages our services by executing the appropriate investment services agreement and shall be subject to the terms and conditions therein. Information regarding investment products and services are provided solely to read about our investment philosophy and our strategies and to be able to contact us for further information. You should not rely on any information provided on our web site in making investment decisions. Market data, articles and other content discussed in this video are based on generally-available information and are believed to be reliable. Abbey Street does not guarantee the accuracy of the information contained in this video. The information is of a general nature and should not be construed as investment advice and relied upon in making investment decisions. Abbey Street will provide all prospective clients with a copy of our current Form ADV, Part 2A (Disclosure Brochure) prior to commencing an advisory relationship. However, at any time, you can view our current Form ADV, Part 2A at adviserinfo.sec.gov.  In addition, you can contact us to request a hardcopy.
Brandt Colville Headshot

About The Author

Brandt Colville

Brandt Colville has over 23 years of experience in the retirement plan advisory industry and holds the Accredited Fiduciary Analyst (AIFA) designation. In addition, Brandt holds the FINRA Series 65, 7 and 63 securities licenses.

View bio

Get in touch with Abbey Street

Start a conversation to learn more about who we are and what we do. Our team is ready to make an impact.

Contact Us