Is It Time to Check Your Cybersecurity Strategy for Employee Benefit Plans?

Is It Time to Check Your Cybersecurity Strategy for Employee Benefit Plans?

Last updated on September 25th, 2023

Not a day goes by when the war on cybercrime isn’t headline news. World powers, including the U.S., are stepping up their defenses and strategies daily. What does this mean to employee benefit plan sponsors, fiduciaries, record-keepers, and even plan participants?

On July 26, the Security and Exchange Commission (SEC) issued rules requiring public companies to “disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.”  While intended to provide investors with timely, consistent information, this action serves as a strong reminder to review and strengthen cyber security strategies.

Benefit plan sponsors, fiduciaries, record-keepers, and others may want to revisit the Department of Labor (DOL) and Employee Benefits Security Administration (EBSA) enforcement focus areas and guidelines launched in April of 2021 to address cybersecurity risks associated with employee benefit plans.

With a likelihood of an uptick in DOL enforcement activities following the end of the COVID National Emergency and Public Health Emergency earlier this year, now may be a good time to review the DOL/EBSA resources, including:

  • Tips for Hiring a Service Provider: These can help plan sponsors and fiduciaries select service providers with strong cybersecurity practices and monitor their activities.
  • Cybersecurity Program Best Practices: These are designed to help plan fiduciaries and record-keepers manage cybersecurity risks.
  • Online Security Tips: These provide tips to plan participants and beneficiaries who check their retirement accounts online to reduce the risk of fraud and loss.

As noted in the original DOL press release accompanying the launch of these resources, “The guidance announced today complements EBSA’s regulations on electronic records and disclosures to plan participants and beneficiaries. These include provisions on ensuring that electronic recordkeeping systems have reasonable controls, adequate records management practices are in place, and that electronic disclosure systems include measures calculated to protect Personally Identifiable Information.”

Considering December 2022 reports issued by the ERISA Advisory Council included Cybersecurity Issues Affecting Health Benefit Plans and Cybersecurity Insurance and Employee Benefit Plans, this is likely an evolving story.

For more information and resources about our country’s efforts to protect and enhance cyber infrastructure, visit the Cybersecurity and Infrastructure Security Agency website (which includes resources for small and midsized businesses).

As you work with legal counsel, IT experts, Human Resources staff, and other resources to fulfill responsibilities for employee benefit plan cybersecurity, you can count on RBT CPAs for all of your accounting, tax, audit, and advisory needs. To learn more, give us a call today.


RBT CPAs does not outsource work to any other country. All of our work is prepared in the U.S.A. 

NOTE: This article is informational only and not intended as legal advice or direction.