EMPLOYEE BENEFITS SECURITY ADMINISTRATION UNITED STATES DEPARTMENT OF LABOR
CYBERSECURITY PROGRAM BEST PRACTICES
ERISA-covered plans often hold millions of dollars or more in assets and maintain personal
data on participants, which can make them tempting targets for cyber-criminals. Responsible
plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.
The Employee Benefits Security Administration has prepared the following best practices for
use by recordkeepers and other service providers responsible for plan-related IT systems
and data, and for plan fiduciaries making prudent decisions on the service providers they
should hire. Plans’ service providers should:
1. Have a formal, well documented cybersecurity program.
2. Conduct prudent annual risk assessments.
3. Have a reliable annual third party audit of security controls.
4. Clearly define and assign information security roles and responsibilities.
5. Have strong access control procedures.
6. Ensure that any assets or data stored in a cloud or managed by a third party service
provider are subject to appropriate security reviews and independent security
assessments.
7. Conduct periodic cybersecurity awareness training.
8. Implement and manage a secure system development life cycle (SDLC) program.
9. Have an eective business resiliency program addressing business continuity,
disaster recovery, and incident response.
10. Encrypt sensitive data, stored and in transit.
11. Implement strong technical controls in accordance with best security practices.
12. Appropriately respond to any past cybersecurity incidents.
1. A Formal, Well Documented Cybersecurity Program.
A sound cybersecurity program identifies and assesses internal and external cybersecurity
risks that may threaten the confidentiality, integrity, or availability of stored nonpublic
information. Under the program, the organization fully implements well-documented
information security policies, procedures, guidelines, and standards to protect the security of
the IT infrastructure and data stored on the system. A prudently designed program will:
Protect the infrastructure, information systems and the information in the systems from
unauthorized access, use, or other malicious acts by enabling the organization to:
• Identify the risks to assets, information and systems.
• Protect each of the necessary assets, data and systems.
• Detect and respond to cybersecurity events.
• Recover from the event.
• Disclose the event as appropriate.
• Restore normal operations and services.
Establish strong security policies, procedures, guidelines, and standards that meet the
following criteria:
• Approval by senior leadership.
• Review at least annually with updates as needed.
• Terms are eectively explained to users.
• Review by an independent third party auditor who confirms compliance.
• Documentation of the particular framework(s) used to assess the security of its
systems and practices.