In April 2021, the Department of Labor (DOL) issued cybersecurity guidance that illustrates its expectations for how plan sponsors are to protect the information they maintain for participants in their benefit plans. Although the guidance is geared toward employer retirement plans, it applies to all plan sponsors and fiduciaries regulated by ERISA.

The guidance is separated into three sections:

1. Tips for hiring a Service Provider:  focuses on the security controls and practices that plan sponsors should consider when they contract with record-keeping and data storage vendors;
2. Cybersecurity Program Best Practices: illustrates best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire; and
3. Online Security Tips:  provides a list of basic rules for plan participants to help reduce the risk of fraud and loss to their retirement accounts.

What compliance obligations do plan sponsors have with respect to these recommendations?

Officially, this DOL guidance is structured as “best practices”.  Although it doesn’t have the force of law or regulation, it seems clear that the DOL is communicating what its expectations are from an oversight perspective.  Plan sponsors should take note of the tips for hiring Service Providers and should make certain their vendors are utilizing the types of practices outlined in the first two sections.  They may also want to review their own cybersecurity practices in light of these recommendations.

Henderson Brothers’ compliance support provides concierge-style assistance to our clients who are struggling to understand federal and state benefit regulations.  If you are a plan sponsor and having a difficult time keeping up with your compliance obligations, give us a call – we can help.

Please note that the information contained in this posting is designed to provide general awareness in regard to the subject matter covered. It is not provided as legal, medical, or tax advice, nor is it intended to address all concerns in your workplace or for public health. No representation is made as to the sufficiency for your specific company’s needs. This post should be reviewed by your legal counsel or tax consultant before use.