Cybersecurity is an ERISA Fiduciary Duty

Cybersecurity is an ERISA Fiduciary Duty

The Department of Labor’s Employee Benefits Security Administration (EBSA) has issued cybersecurity guidelines for fiduciaries of ERISA-subject plans. While these best practices are directed toward ERISA plans, they are also worth consideration by non-ERISA plans such as government and church plans.

By releasing its guidance on cybersecurity, the EBSA makes clear that in order for a fiduciary to properly discharge their duties – particularly the duty of care, skill, prudence, and diligence and the duty to monitor, fiduciaries must enact safeguards against potential cyberattacks. The guidance includes three documents:

Tips for Hiring a Service Provider with Strong Cybersecurity Practices

ERISA requires fiduciaries to prudently select and monitor service providers. The EBSA recommends that fiduciaries ask current and prospective service providers whether the service provider has a cybersecurity insurance policy, which includes coverage for identity theft breaches, breaches caused by both internal and external threats. The EBSA recommends that fiduciaries make such insurance coverage a contract condition but cautions that fiduciaries should “understand the terms and limits of any coverage before relying upon it as protection from loss,” and “beware of contract provisions that limit the service provider’s responsibility for IT security breaches.”

Fiduciaries should also include strong contract safeguards to ensure service provider accountability. The EBSA recommends that fiduciaries include (1)provisions that require the service provider’s ongoing compliance with cybersecurity and information security standards, (2) provisions that require the service provider obtain an third-party cybersecurity audit each year, and give the plan fiduciary the right to review audit results, (3) outlined procedures for notification of cybersecurity breaches, ensuring "the service provider’s cooperation to investigate and reasonably address the cause of the breach,” and (4) specification of the service provider’s “obligations to meet all applicable federal, state, and local laws, rules, regulations, directives, and other governmental requirements pertaining to the privacy, confidentiality, or security of participants’ personal information.”

Cybersecurity Program Best Practices

The second of three documents released by the EBSA is geared toward helping plan fiduciaries and record-keepers “ensure proper mitigation of cybersecurity risks.” ERISA plan fiduciaries can provide this document to existing and potential service providers, in order to establish clear expectations.

Fiduciaries should hire service providers that:

  • Have a formal, well documented cybersecurity program
  • Conduct prudent annual risk assessments.
  • Have a reliable annual third-party audit of security controls.
  • Clearly define and assign information security roles and responsibilities.
  • Have strong access control procedures.
  • Ensure that data/assets undergo appropriate security reviews/assessments.
  • Conduct periodic cybersecurity awareness training.
  • Implement and manage a secure system development life cycle (SDLC) program with regular vulnerability scans and annual penetration tests.
  • Have an effective business resiliency program.
  • Encrypt sensitive data, stored and in transit.
  • Implement strong technical controls
  • Appropriately respond to cybersecurity incidents.

Online Security Tips (for plan participants)

The final document offered by the EBSA is a two-page guide that fiduciaries should consider including in plan communications to participants and beneficiaries. The guide includes tips that can help reduce the risk of fraud and loss to a participant’s account, such as:

  • Participants should register and regularly check their retirement accounts online. This will help participants more quickly detect unusual activity. Participants should ensure the plan administrator has the participant’s most up to date contact information.
  • Participants should close any unused online accounts in order to minimize their online vulnerability.
  • Participants should use strong and unique passwords. Passwords should be changed every 120 days, and immediately in the case of a security breach. Strong passwords are at least 14 characters long and contain a combination of uppercase and lowercase letters, numbers, and special characters.
  • Use multi-factor authentication. Forms of multi-factor authentication include (1) additional login credentials such as a PIN number or security questions, (2) a security code sent to the user’s mobile phone or email, or (3) biometric data, such as fingerprint or facial recognition.
  • Do not use unsecured or public Wi-Fi networks. When accessing important accounts, participants should always use a secured network.
  • Beware of phishing scams. Phishing scams takes many forms, all meant to trick a user into clicking a link or sharing account information, passwords, or other sensitive data.

The information contained in this article is provided as general guidance and may be affected by changes in law or regulation. This article is not intended to replace or substitute for accounting or other professional advice. Please consult a CBIZ professional. This information is provided as-is with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.


© Copyright CBIZ, Inc. and CBIZ CPAs P.C. (together, “CBIZ”). All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ is the brand name for CBIZ CPAs P.C. and CBIZ Advisors, LLC (together), a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of growth-oriented companies. CBIZ Advisors, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). CBIZ CPAs P.C. is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and CBIZ CPAs P.C. are members of Kreston Global, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.

Cybersecurity is an ERISA Fiduciary Duty https://www.cbiz.com/Portals/0/EmployeeBenefits/Images/Benefit Beat/Cyber Security 1600 x 600.jpg?ver=2021-05-11-213014-597The Employee Benefits Security Administration (EBSA) has issued cybersecurity guidelines for fiduciaries of ERISA-subject plans.2021-05-11T19:00:00-05:00The Employee Benefits Security Administration (EBSA) hasissued cybersecurity guidelines for fiduciaries of ERISA-subject plans.Regulatory, Compliance, & LegislativeEmployee Benefits ComplianceNo