Best practices to help protect 401(k) plans from cyber risks

The Government Accountability Office (GAO) released a report in March 2021 entitled Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans, focused on 401(k) plans. As part of the report, the GAO recommended that the Department of Labor (DOL) issue cyber security guidance for plan sponsors, plan participants and service providers.

The week of April 12, 2021, the DOL released its guidance for service providers, plan fiduciaries and participants. The guidance is in the form of recommended best practices:

Service providers: A list of cyber security program best practices

The DOL prepared best practices for use by recordkeepers and other service providers responsible for plan-related information systems and data, and for plan fiduciaries making prudent service provider hiring decisions.

Plan fiduciaries: Tips for consideration when hiring service providers

Plan sponsors of 401(k) plans often rely on service providers to maintain plan records, keep participant data confidential and plan accounts secure, and therefore should use service providers that follow strong cyber security practices.

Participants: Online security tips on how to reduce the risk of fraud and loss

Participants can reduce the risk of fraud and loss to their retirement account by following some basic rules and best practices.

It is important to note that these are meant to be helpful guidelines and are not regulations. Regulations are different in that they require compliance and are subject to enforcement actions.

Key takeaways

Bank of America’s Global Information Security division reviewed the guidance and can confirm that we have a robust information security program that is consistent with the DOL guidance.

Download Bank of America’s point‑by‑point response to the DOL cyber security guidance.

Promote online safety best practices to your workforce through Merrill’s seminars and workshops, online guides and articles, and more.