The Employee Benefits Security Administration of the Department of Labor issued a new guidance for plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act (ERISA).  The guidance offers tips and best practices in three areas:

  • Tips for Hiring a Service Provider[1]
  • Cybersecurity Program Best Practices[2]
  • Online Security Tips[3]

Although the Tips and Best Practices are not deemed to be regulatory safe harbors, they should definitely serve as the baseline for plan fiduciaries when selecting and monitoring service providers. Since not every fiduciary or plan sponsor has IT and cybersecurity expertise, retaining the services of experts to assist in examining and reviewing such matters may be necessary. Further, plan fiduciaries should review these Tips and Best Practices with current service providers and amend existing agreements if there are inconsistencies and deficiencies and may even replace service providers who are unable or unwilling to conform to these baseline requirements.

Please find here a complete summary

[1] https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/tips-for-hiring-a-service-provider-with-strong-security-practices.pdf

[2] https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf

[3] https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/online-security-tips.pdf