Plan Sponsor Cybersecurity Best Practices

Plan Sponsor Cybersecurity Best Practices

Home /  Insights / Articles / Article Details

The Department of Labor (DOL) issued three guidelines related to cybersecurity — tips a plan sponsor should look for in a provider, processes plan providers should have in place and online security tips for participants and beneficiaries.

According to the DOL, plan providers should have best practices and processes in place to protect plan assets, including but not limited to the following:

  • Have a formal, well-documented cybersecurity program
  • Conduct annual risk assessments
  • Use third parties to audit the program
  • Have strong access controls
  • Conduct periodic cybersecurity training
  • Encrypt sensitive data
  • Have strong technical controls that meet security best practices
  • Appropriately respond to any cybersecurity breaches

Plan fiduciaries also have responsibilities in this regard. The DOL requires plan fiduciaries to prudently select and monitor their providers, the intent of which is to safeguard plan assets. As a cybersecurity breach could affect participant accounts, plan fiduciaries should consider the following:

  • Ask the provider about their cybersecurity practices, procedures, policies and audit results, and compare them to what others in the industry are doing
  • Ask the provider how they evaluate their procedures and what level of security standards they meet
  • Evaluate the provider’s cybersecurity track record based on public records
  • Ask the provider about any prior breaches, what happened and what was done to resolve the issue
  • Ask the provider about any insurance coverage they have that would cover any losses due to cybersecurity breaches
  • Ensure any contract with a provider requires ongoing compliance with security standards
  • Beware of any language in a service contract that limits the provider’s responsibility for any IT security breaches

The DOL believes plan participants and their beneficiaries also have a responsibility to help keep their accounts secure. The DOL suggests participants/beneficiaries:

  • Register their account and monitor it regularly
  • Use strong and unique passwords
  • Use multi-factor authentication (MFA)
  • Keep contact information current
  • Close/delete any unused accounts
  • Consider not using ‘free’ Wi-Fi
  • Don’t share passwords, accounts or other sensitive information with an unknown person, even those posing as a known person; it could be a phishing attack trying to obtain this information to gain access to accounts
  • Use anti-virus software and keep it and all apps current
  • Know how to report identity theft and cybersecurity attacks

Need more help?

Retirement plans are a key benefit to your organization, but managing them can be complex and time-consuming. At CBIZ, we’re passionate about helping people achieve their retirement savings goals while also helping their employers navigate the fiduciary responsibilities that come with sponsoring a retirement plan. Depending on the area, our team of professionals can help guide you to make the decisions that best support your organization. Learn more at www.cbiz.com/retirement or connect with a CBIZ Retirement & Investment Solutions consultant today.

Investment advisory services provided through CBIZ Investment Advisory Services, LLC, a registered investment adviser and a wholly owned subsidiary of CBIZ, Inc.

© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization. 

“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.

Plan Sponsor Cybersecurity Best Practiceshttps://www.cbiz.com/Portals/0/Images/Top-Cybersecurity-Trends-CBIZ.jpg?ver=2021-03-18-093444-620https://www.cbiz.com/Portals/0/Images/article_thumbs/2019-Cyber-Attacks-thumb_0_650_1900598348.jpg?ver=2020-10-24-150830-583The Department of Labor (DOL) recently issued three guidelines related to cybersecurity: tips a plan sponsor should look for in a provider; processes plan providers should have in place; and online security tips for participants and beneficiaries.2021-05-26T16:00:00-05:00The Department of Labor (DOL) recently issued three guidelines related to cybersecurity: tips a plan sponsor should look for in a provider; processes plan providers should have in place; and online security tips for participants and beneficiaries.Regulatory, Compliance, & LegislativeRetirement Plan ServicesYes
    Privacy Policy | Cookie Settings Terms & Conditions | Legal Disclaimer | Help

    "CBIZ" is the brand name under which CBIZ CPAs P.C. and CBIZ Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.

    Copyright 2025 by CBIZ, Inc.