skip to Main Content

Department of Labor, Employee Benefits Security Administration Cybersecurity Best Practices for Plan Administrators and Participants

Cybercrime has risen exponentially as a result of the Covid-19 pandemic and has become the predominant method of fraud.  ERISA covered plans are targets for cybercriminals because they often hold millions of dollars in assets and maintain valuable participant non-public personal information.  The Department of Labor and its Employee Benefits Security Administration (“EBSA”) recognize this ever-evolving threat and have placed heightened importance on cybersecurity and related best practices.  As part of this process, the EBSA created guidance entitled Online Security Tips for plan administrators and participants which can help reduce the risk of fraud and loss.  This blog highlights the key cybersecurity principles contained therein.

First, it is important to register, set up, and routinely monitor your online account.  Maintaining online access to your retirement account helps protect your account. An online account is suggested because failing to register for one may enable cybercriminals to assume your online identity and sign up for it themselves.  However, having an online account alone is insufficient.  One must regularly check the account to further reduce the risk of fraudulent account access or activity.  Active monitoring is a powerful fraud prevention tool.  Account activity notifications can further assist this purpose.

Strong, unique passwords combined with multi-factor authentication are another powerful tool to further protect access to your online account.  Dictionary words, information readily available through social media searches (spouse, children, hobbies, etc.), and basic passwords are too easy to breach for cybercriminals in 2021.  Letters (both upper and lower case), numbers, and special characters ($@!#) should all be used (guidance suggests more than 14 total characters.)  Letters and numbers should not be in sequence.  Passwords should not be written down.  Secure password managers may be helpful to create and track passwords.  Passwords should be changed every 120 days or if there is a security breach.  Passwords should not be shared, reused, or repeated.  No matter the strength of one’s password, it is important to note that some cybercriminals utilize password breaking algorithms to breach accounts, which is why multi-factor authentication is always needed as an additional layer of protection.  Multi-factor authentication (or two-factor authentication) requires a second credential to verify your identity (i.e., entering code sent in real time via text message or email.)

Another way to prevent fraud is to keep personal contact information current.  Contact information should be updated whenever it changes, and multiple communication options can be selected in order to ensure you can be reached if there is a problem. If your accounts are no longer in use, they should be closed or deleted.  Closing unused accounts minimizes vulnerability and helps safeguard your information by virtue of a smaller on-line presence.

One should always be wary of Free Wi-Fi.  Free Wi-Fi networks (even if password protected) are accessible by whoever else has access to the system.  Public Wi-Fi available at hotels, airports, or even coffee shops pose security risks as cybercriminals may gain access to your personal information via your connected device through shared network access.  It is always better to use your own cell phone, home network, or own password protected hot spot then any free Wi-Fi option otherwise available.

Antivirus software should always be used, and applications and software must be kept current.  Antivirus software protects your computers and mobile devices from viruses and malware.  All software should be kept up to date with the latest patches and upgrades to ensure that cybercriminals can not exploit any identified vulnerabilities or weaknesses because they will try.

Always beware of phishing attacks which aim to trick you into sharing your password, account numbers, and sensitive personal information in order to gain access to your accounts.  Most cybercrime is accomplished through successful phishing.  Phishing messages may appear to be sent from trusted organizations to lure you into clicking a malicious link or pass along confidential information.  Common red flags associated with phishing are as follows: 1) text message or email you did not expect or comes from a person or service that you do not know or use; 2) spelling errors or poor grammar; 3) mismatched links (a seemingly legitimate link sends you to an unexpected address),sometimes this can be spotted by hovering your mouse over the link without clicking on it so that your browser displays the actual destination; 4) shortened or odd links or addresses; 5) an email request for your account number or personal information (legitimate providers never send emails or texts asking for passwords, account numbers, personal information, or answers to security questions); 6) offers or messages that seem too good to be true, express great urgency, or are aggressive and scary; 7) strange or mismatched sender addresses; and 8) Catch-all of anything else that makes you feel uneasy.

Lastly, it is important to know how to report identity theft and cybersecurity incidents.  The FBI and Department of Homeland Security created valuable websites for reporting cybersecurity incidents.  These sites are as follows: 1); and 2)

The success of First State Trust Company (“FSTC”) begins with a relationship of trust between us and our valued clients.  The FSTC team of professionals takes confidentiality and privacy very seriously.  FSTC maintains robust information security, security access, encryption, and disaster recovery/COB policies and procedures.  We are committed to maintaining secure computer systems in order to ensure the security of our data and data processing resources.  We maintain physical, electronic, and procedural safeguards that are reasonably designed to guard your non-public personal information.  We limit the collection of client information to the minimum we require in order to allow us to deliver superior services to our clients.  FSTC will not reveal non-public personal client information to any external party unless we have been authorized by the client to do so or are required by law or our regulators to do so.


Michael McElwee, Esq. AVP/Compliance, AML/OFAC Officer

The posts expressed are views of FSTC and are not intended as advice or recommendations. For informational purposes only.  FSTC does not offer tax, legal, or investment advice, professional counsel should be sought for tax or legal advice.

Back To Top