On April 14, 2021, the Employee Benefits Security Administration (“EBSA”) published guidance for plan sponsors, plan fiduciaries, record-keepers, and plan participants on best practices for maintaining cybersecurity. This is the first time that the EBSA has given cybersecurity guidance to the estimated 34 million defined benefit plan and the 106 million defined contribution plan participants with an estimated $9.3 trillion in assets.

The guidance emphasizes that the participants and assets are at risk from internal and external cybersecurity threats, and that ERISA fiduciaries have an obligation to take appropriate precautions to minimize these risks.

There are three parts to the guidance:

(i) Tips for Hiring a Service Provider,

(ii) Cybersecurity Program Best Practices, and

(iii) Online Security Tips.

While this guidance is intended to help plan sponsors, fiduciaries, and participants to safeguard their retirement benefits and personal information, the mention of fiduciary duties should also be noted. We recommend that ERISA fiduciaries review this guidance because failure to follow these recommended practices, or at least to implement comparable procedures, would not look good in the event of a breach and claims by participants or other parties for lax security procedures.

In addition, we review service provider agreements, and many times the service providers reject liability for cybersecurity breaches altogether in initial drafts of these agreements. If you have not reviewed your service provider contracts for cybersecurity, this guidance would be a good occasion to do that. The guidance is intended to work with other EBSA guidance on electronic records and disclosures.