January 2026 Update: DOL elevated cybersecurity to a formal National Enforcement Project under EBSA. Cybersecurity is now one of the agency's highest investigation priorities alongside mental health parity. EBSA's FY 2025 enforcement yielded $1.4 billion in recoveries across 878 civil investigations.
Why This Matters for Your TPA
In April 2021, DOL issued its first-ever cybersecurity guidance for ERISA plan fiduciaries and service providers. The September 2024 update expanded these requirements to all ERISA-covered plans—not just retirement plans. The January 2026 enforcement elevation means EBSA investigators are now actively examining TPA cybersecurity programs during plan audits.
The Walsh v. Alight Solutions ruling (7th Circuit, 2022) confirmed DOL can subpoena non-fiduciary TPAs for cybersecurity documentation. Your TPA IT security program is squarely within DOL's investigatory authority.
The 12 DOL Cybersecurity Best Practices
EBSA's guidance outlines 12 specific cybersecurity practices that service providers—including TPAs—are expected to maintain. Here's what each one requires and how to implement it.
1. Formal, Documented Cybersecurity Program
What DOL expects: A written cybersecurity policy that covers your entire organization, not just IT. It should define scope, objectives, governance structure, and be reviewed annually.
How to implement: Create a comprehensive Information Security Policy aligned with NIST CSF 2.0. Document your security governance structure including who has authority over security decisions. Review and update at least annually or after any significant change to your environment.
2. Annual Risk Assessments
What DOL expects: Regular evaluation of internal and external threats to participant data, your technology infrastructure, and business operations.
How to implement: Conduct annual risk assessments that identify threats specific to TPA operations—unauthorized access to participant PII, ransomware attacks during compliance testing season, vendor compromise. Document findings and remediation plans with timelines.
3. Third-Party Audit of Security Controls
What DOL expects: Independent verification of your security posture through SOC 1/SOC 2 audits or equivalent third-party assessments.
How to implement: Engage an independent auditor to perform SOC 2 Type II examinations annually. If a full SOC 2 is cost-prohibitive, start with a SOC 2 Type I or a NIST CSF assessment. Plan sponsors increasingly require SOC reports during due diligence—having one ready demonstrates compliance maturity.
4. Clearly Defined Security Roles and Responsibilities
What DOL expects: Named individuals responsible for cybersecurity decisions, incident response, and compliance oversight.
How to implement: Designate a security officer (internal or outsourced) with documented authority and accountability. Define roles for incident response, access management, vendor oversight, and training. Ensure your TPA IT provider has clearly defined responsibilities in your service agreement.
5. Strong Access Control Procedures
What DOL expects: Principle of least privilege, multi-factor authentication (MFA), regular access reviews, and prompt deprovisioning of former employees.
How to implement: Implement phishing-resistant MFA on all internet-exposed systems (the September 2024 update specifically calls out phishing-resistant MFA). Conduct quarterly access reviews. Automate account deprovisioning for terminated employees. Restrict administrative access to named individuals only.
6. Third-Party Vendor Security Reviews
What DOL expects: Due diligence on every vendor that accesses participant data—recordkeepers, software vendors, payroll providers, and IT service providers.
How to implement: Maintain a vendor inventory with data classification for each. Require SOC 2 reports or equivalent security attestations from all vendors handling participant data. Include cybersecurity requirements in all vendor contracts. Conduct annual vendor risk assessments.
7. Cybersecurity Awareness Training
What DOL expects: Regular security training for all employees who access participant data or plan systems.
How to implement: Deploy monthly phishing simulations and quarterly security awareness training. Track completion rates and remediate failures. Training should cover TPA-specific scenarios: fraudulent distribution requests, impersonation of plan sponsors, and social engineering targeting participant data.
8. Secure System Development Life Cycle (SDLC)
What DOL expects: Secure practices for any custom software, integrations, or system configurations your TPA develops or maintains.
How to implement: Document change management procedures for all system modifications. Test changes in a staging environment before production deployment. Maintain audit trails for all configuration changes to TPA administration systems.
9. Business Resiliency Program
What DOL expects: Disaster recovery and business continuity plans that are tested and updated regularly.
How to implement: Maintain immutable backups with tested recovery procedures. Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical TPA systems. Test disaster recovery annually—ideally with a tabletop exercise simulating ransomware during year-end compliance testing season.
10. Data Encryption
What DOL expects: Encryption of participant data both at rest and in transit.
How to implement: Encrypt all storage volumes containing participant data (AES-256 minimum). Use TLS 1.2+ for all data transmission. Encrypt email communications containing PII. Encrypt backup data and verify encryption on offsite replicas.
11. Strong Technical Controls Aligned with NIST
What DOL expects: Implementation of recognized cybersecurity frameworks—specifically referencing NIST standards.
How to implement: Align your security controls with NIST CSF 2.0 or NIST 800-53. Deploy endpoint detection and response (EDR) on all devices. Implement network segmentation (VLAN isolation) between administrative and production environments. Maintain 24/7 security monitoring through a SOC/MDR service.
12. Documented Incident Response Procedures
What DOL expects: A written, tested incident response plan with defined escalation procedures and notification timelines.
How to implement: Create a documented incident response plan that defines severity levels, escalation paths, containment procedures, and notification timelines. The September 2024 update specifically requires breach notification to participants "without unreasonable delay." Include contact information for legal counsel, cyber insurance carriers, and law enforcement. Test the plan annually with tabletop exercises.
What Happens During a DOL Cybersecurity Examination
When EBSA investigators examine a plan's cybersecurity practices, they typically issue a document request letter asking for your cybersecurity policy, most recent risk assessment, SOC reports or third-party audit results, access control documentation, incident response plan, employee training records, vendor security assessments, and evidence of encryption and monitoring.
TPAs that cannot produce organized documentation face extended investigations and potential enforcement actions. The TPA firms that maintain audit-ready documentation—updated continuously, not assembled after receiving a request letter—demonstrate the compliance maturity that DOL expects.
How TPAIT Helps TPAs Meet DOL Requirements
TPAIT's TPA IT services are designed around these 12 requirements from the ground up. Our cybersecurity program addresses every DOL best practice with documented controls, continuous monitoring, and audit-ready reporting. We maintain the documentation, run the assessments, deploy the technical controls, and coordinate with your compliance team to ensure your TPA meets or exceeds DOL expectations.
We built our services specifically for Third-Party Administrators because we've spent nearly two decades inside TPA operations. We understand that compliance testing season creates different risk profiles than Q1 onboarding, that ESOP valuation transfers require different security controls than routine payroll integrations, and that a 15-minute response time during Form 5500 filing season isn't a luxury—it's a business requirement.