U.S. Department of Labor Updates its Guidance on Cybersecurity for Employee Benefit Plans: 


Cybercriminals’ recent focus on the large amount of assets in retirement plans has properly received much publicity. That focus, and the resulting theft of participants’ retirement plan accounts in several cases, led to a February 11, 2021 report from the Government Accountability Office (“GAO”). In that report, the GAO stated that it “is making two recommendations to DOL to formally state whether it is a fiduciary’s responsibility to mitigate cybersecurity risks in [defined contribution retirement] plans and to establish minimum expectations for addressing cybersecurity risks” in those plans.

In response, the DOL issued April 14, 2021 guidance that was the DOL’s first guidance directly addressing cybersecurity in retirement plans. On a broad level, the DOL’s position was that plan fiduciaries must mitigate cybersecurity risks in their plans. That guidance was unclear, however, as to whether it only applied to defined contribution retirement plans.

On September 6, 2024, the DOL published an update to that April 2021 guidance. The new guidance, which is Compliance Assistance Release No. 2024-01 (the “Release”), modifies the 2021 guidance by clarifying that such guidance and the Release apply “to all types of ERISA plans, including health and welfare plans and all employee pension benefit plans.” That is reflected in the following updated guidance in the Release:

  1. Tips for Hiring a Service Provider, which is intended to help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
  2. Cybersecurity Program Best Practices, to assist plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
  3. Online Security Tips, which offers basic rules to reduce the risk of fraud and loss, for plan participants and beneficiaries who check their retirement accounts or other employee benefit plan information online.

Plan sponsors may wish to review this guidance and discuss it with their IT personnel and their plan’s service provider(s). Plan sponsors could also consider communicating the “Online Security Tips” guidance to plan participants (and to beneficiaries of deceased participants) and using that guidance in future educational campaigns.