Employee benefit plans are a growing target for cyber threats due to the volume and sensitivity of the data they hold. From participant Social Security numbers and medical histories to financial and payroll information, this data is highly valuable to bad actors and often dispersed across multiple third-party vendors. In response, the Department of Labor (DOL) expects plan fiduciaries to take a proactive approach, maintaining strong cybersecurity programs and assessing their effectiveness annually through qualified independent third parties.
At Withum, our cybersecurity team works closely with plan sponsors and employee benefit plan professionals to help organizations assess risk, evaluate vendors and align with DOL cybersecurity expectations.
In this article, we review the DOL’s best practices and highlight practical steps organizations can take to align with them.
A Refresh on the DOL Cybersecurity Best Practices
The DOL outlines 12 best practices that reflect key areas of responsibility for ERISA plan sponsors and service providers:
| DOL Best Practice 1: | Have a formal, well-documented cybersecurity program in place. |
| DOL Best Practice 2: | Perform prudent annual risk assessments. |
| DOL Best Practice 3: | Have a reliable third party perform an audit or assessment of security controls on an annual basis. |
| DOL Best Practice 4: | Have clearly defined and assigned information security roles and responsibilities. |
| DOL Best Practice 5: | Have strong access control procedures. |
| DOL Best Practice 6: | Ensure that any assets or data stored in a cloud or managed by a third- party service provider are subject to appropriate security reviews and independent security assessments. |
| DOL Best Practice 7: | Conduct regular cybersecurity awareness training. |
| DOL Best Practice 8: | Implement and manage a secure development life cycle (SDLC) program that includes security assurance activities. |
| DOL Best Practice 9: | Have an effective business resiliency program addressing business continuity, disaster recovery and incident response. |
| DOL Best Practice 10: | Encrypt sensitive data, stored and in transit. |
| DOL Best Practice 11: | Implement strong technical control solutions. |
| DOL Best Practice 12: | Appropriately respond to any past cybersecurity incidents or breaches. |
While the guidance is currently framed as best practices, there is growing industry speculation that elements of the DOL’s cybersecurity framework will become formal requirements in the near future. Taking steps now puts plan sponsors in a stronger position for when the guidance eventually shifts from recommendation to requirement.
Interested in Practical Next Steps?
Watch our on-demand webinar on DOL cybersecurity guidance for ERISA plans for insights on emerging threats, real-world risks to benefit plans, and how to build a future-ready cybersecurity program aligned with DOL expectations.
Putting Guidance Into Practice: Where Organizations Need Support
Navigating these best practices can be challenging, especially when multiple vendors, systems and compliance frameworks are involved. Many organizations choose to engage outside cybersecurity professionals to help assess their programs, evaluate vendor risk and implement stronger controls.
Below are common areas where plan sponsors should seek support from a vendor to ensure that their cybersecurity framework is in accordance with the DOL Best Practices guidelines:
Independent Cybersecurity Assessments
A vendor can evaluate your current program by reviewing policies, procedures, physical and technical controls, incident response capabilities and more, benchmarking against DOL guidance.
Third-Party Vendor Risk Reviews
From actuaries to recordkeepers, performing annual assessments of your third-party vendors’ cybersecurity fitness can ensure they meet cybersecurity requirements and protect participant data.
Security Testing and Risk Identification
Performing targeted testing can help your organization understand how well its defenses stand up to real-world threats. This includes:
- Vulnerability scans to identify exposed systems and security gaps
- Penetration testing to simulate attacker behavior and assess internal risk
- Phishing simulations to evaluate employee response and improve awareness
- Lateral movement and privilege escalation testing to assess the depth of access
- Clear reporting on findings and recommended remediation steps
Cybersecurity Program Consulting
Plan sponsors should build or mature their internal cybersecurity programs in alignment with the DOL’s best practices by:
- Developing or refining third-party vendor risk management programs
- Implementing secure system development life cycle (SDLC) practices
- Establishing or enhancing access control procedures
- Designing cybersecurity awareness training initiatives
- Building business continuity, disaster recovery, and incident response plans
- Supporting secure offboarding practices and continuous monitoring
If your organization is assessing vendor risk or evaluating its cybersecurity program against DOL guidance, Withum’s team can provide support through independent assessments, testing and strategic consulting.
Contact Us
Contact Withum’s Cyber and Information Security Services Team to discuss the next steps.
