The Department of Labor’s Cybersecurity Program Best Practices (opens in new tab) define 12 controls EBSA expects from plan service providers — including TPAs. With cybersecurity a formal National Enforcement Project since January 2026 (opens in new tab), this is the checklist an EBSA investigator’s document request will effectively test you against.

Scoring: Yes = fully implemented and documented. Partial = in progress or undocumented. No = not in place. Click any practice name for implementation guidance.

The 12 DOL EBSA cybersecurity best practices — TPA self-assessment
PracticeYesPartialNo
1. Formal, Documented Cybersecurity Program
Written policy covering your entire TPA, reviewed annually, with defined scope and governance.
2. Annual Risk Assessments
Documented evaluation of threats to participant data, systems, and operations — with remediation plans.
3. Third-Party Audit of Security Controls
Independent verification via SOC 2 Type II, NIST CSF assessment, or equivalent third-party examination.
4. Clearly Defined Security Roles
Named individual(s) responsible for cybersecurity decisions, incident response, and compliance oversight.
5. Strong Access Control Procedures
Phishing-resistant MFA on all internet-exposed systems. Least privilege. Quarterly access reviews.
6. Third-Party Vendor Security Reviews
Documented due diligence on every vendor touching participant data — recordkeepers, payroll, IT providers.
7. Cybersecurity Awareness Training
Regular phishing simulations and security training for all staff. Documented completion rates.
8. Secure System Development Life Cycle
Change management procedures for all system modifications. Testing before production deployment.
9. Business Resiliency Program
Tested DR & business continuity plans with defined RTO/RPO for critical TPA systems.
10. Data Encryption
AES-256 encryption at rest. TLS 1.2+ in transit. Encrypted backups with separate key management.
11. Strong Technical Controls (NIST-Aligned)
24/7 monitoring, EDR/MDR, network segmentation, vulnerability management, patch management.
12. Documented Incident Response Procedures
Written IR plan with severity levels, escalation paths, notification timelines. Tested annually.
0
Yes
0
Partial
0
No

How to read your score: 10–12 Yes = strong posture. 7–9 Yes = gaps exist that a plan-sponsor questionnaire or DOL examiner would surface. Fewer than 7 Yes = your firm is carrying meaningful regulatory and fiduciary risk.

What to Do with Your Gaps

Every Partial or No is an item EBSA investigators, plan-sponsor due-diligence questionnaires, and cyber-insurance underwriters can ask you to explain. Our DOL Cybersecurity Compliance Guide covers what each practice requires and how to implement it in a TPA environment, and our plan sponsor questionnaire guide shows how to present your posture to clients.

Common Questions

Is this checklist based on official DOL guidance?

Yes. Each of the 12 items maps directly to EBSA’s Cybersecurity Program Best Practices, first issued in April 2021 and confirmed to apply to all ERISA plans and service providers by Compliance Assistance Release 2024-01 (September 2024).

Does the DOL actually check these items for TPAs?

Yes. Cybersecurity has been a formal EBSA National Enforcement Project since January 15, 2026. During investigations, EBSA requests documents such as cybersecurity policies, risk assessments, third-party audit reports, training records, and incident response plans — the same items on this checklist.

Can I get this checklist as a PDF?

Yes — download the printable one-page PDF version (opens in new tab) to score your firm on paper or share with your leadership team.

Want a Second Set of Eyes on Your Answers?

Book a free IT & cybersecurity assessment and we’ll validate your self-assessment against DOL expectations—no obligation.

Book Free IT & Cyber Assessment (opens in new tab)