DOL cybersecurity guidance for firms managing retirement assets
The Department of Labor treats cybersecurity as a fiduciary duty. If you manage ERISA plan assets or handle participant data, DOL examiners will ask about your cybersecurity program. BlackSheep maps every DOL EBSA expectation and tracks where you stand.
$249/month · All features included · No credit card to start
2021
Guidance issued by DOL EBSA
$9.3T
In ERISA plan assets DOL oversees
14
Controls across 10 categories
95
Implementation criteria in BlackSheep
What DOL EBSA expects from fiduciaries
The guidance covers three areas: tips for hiring service providers, cybersecurity program best practices, and online security tips. Here are the controls DOL expects you to have in place.
Formal Cybersecurity Program
A documented program with clearly defined roles, annual reviews, and board or senior management oversight. Not a policy you wrote once and forgot about.
Annual Risk Assessments
Identify threats, assess vulnerabilities, evaluate your current controls, and document the results. Risk assessments should drive your program priorities.
Access Controls
Limit access to sensitive plan data and systems. Multi-factor authentication, least privilege access, periodic access reviews, and timely deprovisioning when people leave.
Third-Party & Cloud Security
Evaluate service providers before you hire them. Require cybersecurity protections in contracts. Monitor cloud environments. DOL auditors ask how you vet vendors.
Cybersecurity Training
Annual cybersecurity awareness training for all personnel. Cover phishing, social engineering, password habits, and how to report incidents.
Encryption
Encrypt sensitive plan data at rest and in transit. DOL expects real encryption and proper key management, not just checking the box.
Secure Development (SDLC)
If you build or customize software that touches plan data, follow a secure development lifecycle. Code reviews, testing, and vulnerability management.
Business Resiliency
Business continuity and disaster recovery plans that cover plan operations. Test them regularly. Know your recovery time targets.
Breach Response
A documented incident response plan specific to plan data breaches. Know who to notify, when, and how. DOL expects you to act fast and document everything.
Does this apply to your firm?
DOL EBSA cybersecurity guidance applies broadly. If you touch ERISA plan money or data, DOL considers this your responsibility.
ERISA Plan Fiduciaries
Plan sponsors, trustees, named fiduciaries
- Select and monitor service providers
- Ensure prudent cybersecurity practices
- Include cyber requirements in service agreements
- Conduct due diligence on provider security
Investment Managers
RIAs acting as 3(38) or 3(21) fiduciaries
- Maintain a formal cybersecurity program
- Annual risk assessments
- Encryption and access controls
- Business resiliency planning
- Incident response procedures
Service Providers
Recordkeepers, TPAs, custodians, payroll
- Show strong cybersecurity to win business
- Expect cybersecurity provisions in contracts
- Prepare for DOL audit inquiries
- Annual SOC 2 or equivalent assessment
- Prompt breach notification
Common questions about DOL EBSA cybersecurity
Is DOL EBSA cybersecurity guidance legally binding?
Not technically. It's guidance, not a codified regulation. But DOL has stated that cybersecurity is a fiduciary responsibility under ERISA. Examiners ask about it during plan audits, and failing to have a reasonable program could expose you to breach of fiduciary duty claims. Treat it as if it's mandatory.
My firm already complies with SEC Reg S-P. Do I still need to address DOL EBSA?
Yes. Reg S-P covers client information protection broadly for SEC registrants. DOL EBSA is about ERISA plan assets and participant data specifically. There's real overlap, but DOL focuses on retirement-specific risks, vendor vetting for plan service providers, and fiduciary-grade controls. BlackSheep maps both so you build one program.
What does DOL look for during a plan audit?
Evidence of a formal cybersecurity program, how you vetted and monitor service providers, contractual cybersecurity provisions, incident response readiness, and how you protect participant data. They want documentation. Verbal assurances won't cut it.
Does this apply if we only manage a small retirement plan?
DOL guidance applies regardless of plan size. Whether you manage a $2M 401(k) or a $2B pension, the fiduciary obligation is the same. Smaller firms can get by with simpler controls, but you still need a documented program.
How often should we review our DOL EBSA compliance?
At minimum annually, lined up with your risk assessment cycle. DOL expects ongoing monitoring, not a once-and-done exercise. BlackSheep tracks your status continuously so you always know where things are.
Related reading
RIA Vendor Management Requirements
What regulators expect from your vendor oversight program.
Small RIA Cybersecurity Requirements
What smaller firms need to know about compliance obligations.
Cybersecurity Policy Template for RIAs
What your written security program should cover.
The 72-Hour Vendor Notification Rule
How vendor oversight rules apply across frameworks including ERISA.
Related frameworks
If you manage retirement assets, cybersecurity is your problem too
DOL is asking about cybersecurity during plan audits. BlackSheep maps every DOL EBSA expectation, tracks your controls, and gives you the documentation to show your program is real.
$249/month. Every framework included. No per-plan fees.
14-day free trial. No credit card. 30-day money-back guarantee.