The U.S. Department of Labor (DOL) recently issued cybersecurity guidance for 401k plan sponsors, recordkeepers, other vendors, participants, and beneficiaries. This is the first official DOL guidance on 401k cybersecurity best practices.

The DOL issued its cybersecurity guidance through the three following resources:

The DOL’s guidance demonstrates that the DOL takes the position that plan fiduciaries have a legal duty to mitigate cybersecurity risk. However, the DOL also recognizes that non-fiduciaries (such as participants, beneficiaries, and other third-party vendors) play an integral role in 401k plan cybersecurity.

12 DOL Best Practices to Mitigate Cybersecurity Risks

The DOL provided the following 12 best practices4 to help plan fiduciaries and/or vendors mitigate cybersecurity risks.

  1. Have a formal well-documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third-party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.
  5. Have strong access control procedures.
  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security review and independent security assessments.
  7. Conduct periodic cybersecurity awareness training.
  8. Implement and manage a secure system development life cycle (SDLC) program.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  10. Encrypt sensitive data, stored and in-transit.
  11. Implement strong technical controls in accordance with best security practices.
  12. Appropriately respond to any past cybersecurity incidents.

Employer Actions

Although not required by statute or regulation, employers and plan third-party vendors are encouraged to consider adopting these best practices to help withstand any DOL scrutiny related to cybersecurity.

Additional Resources


  1. Employee Benefits Security Administration, United State Department of Labor, Cybersecurity Program Best Practices at https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf
  2. Employee Benefits Security Administration, United State Department of Labor, Online Security Tips at https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/online-security-tips.pdf
  3. Employee Benefits Security Administration, United State Department of Labor, Tips for Hiring a Service Provider with Strong Cybersecurity Practices at https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf
  4. Employee Benefits Security Administration, United State Department of Labor, Cybersecurity Program Best Practices at https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/best-practices.pdf
  5. Id.
  6. U.S. Department of Labor, News Release. U.S. Department of Labor Announces New Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record-Keepers, Plan Participants. (April 14, 2021). https://www.dol.gov/newsroom/releases/ebsa/ebsa20210414

Pensionmark Financial Group, LLC (“Pensionmark”) is an investment adviser registered under the Investment Advisers Act of 1940. Financial Advisors at Pensionmark may also be registered representatives of Pensionmark Securities, LLC (member SIPC), which is affiliated with Pensionmark through common ownership.

Jenny Kiesewetter — Jenny is a Retirement Plan Compliance Consultant for Sequoia, where she works with our clients to optimize and streamline retirement plan compliance. In her free time, Jenny enjoys spending time with her friends and family, traveling, live music, and dining out.