DOL Cybersecurity Guidance for Plan Sponsors

The DOL’s cybersecurity guidance for plan sponsors remain as relevant as ever. Discover ways to enhance your compliance.

When it comes to providing a retirement plan for your employees, staying compliant with Department of Labor (DOL) guidance is one of the most important responsibilities you take on.


In fact, in a recent survey, Morgan Stanley at Work discovered that 93% of plan sponsors choose to work with a financial advisor specifically for assistance with plan compliance and regulatory oversight.1


One prime area of focus remains, compliance with evolving cybersecurity rules. In 2021, when the DOL publicized guidance around qualified retirement plan cybersecurity practices, it noted that qualified retirement plans are prime targets for cyber attackers: it’s estimated that there are approximately 140 million participants in ERISA-governed retirement plans, holding assets of about $9.3 trillion.2 Additionally, retirement plans maintain significant amounts of highly sensitive personal and financial data (think: Social security numbers, employment information and home addresses).


As a result, without sufficient protections and protocols in place, participants and assets may be at risk from cybersecurity threats. The DOL’s 2021 guidance set out best practices to help plan sponsors, plan fiduciaries, service providers and plan participants maintain a prudent cybersecurity program within the retirement plan framework. Since then, the DOL has heightened its focus on cybersecurity issues in its ERISA investigations.3 This makes it increasingly important for plan fiduciaries to strongly consider implementing the guidance to further enhance their cybersecurity infrastructure.


When it comes to cybersecurity, if you haven’t already, now is the time to start implementing information security protection, protocols and prepare for potential DOL enforcement.

In this article, we decode the guidance and help plan sponsors understand what’s most important to implement to keep your company and employees safe from cyber criminals.


The DOL’s cybersecurity guidance is divided into three parts:

Plan Sponsors(e.g., plan fiduciaries)

Under ERISA, plan sponsors have a fiduciary duty to prudently select and monitor a plan’s service providers. The first part of the DOL’s cybersecurity guidance addresses how to evaluate a service provider’s cybersecurity practices to effectively satisfy this fiduciary obligation. The guidance recommends that plan fiduciaries carefully review and compare the service providers’ security standards to recognized industry standards and frameworks. It encourages plan sponsors to engage in conversations with a current or prospective service provider about their security policies and procedures, any audit results, past security breaches and whether the service provider has cybersecurity or identify theft insurance.


Additionally, the DOL strongly advises that a plan fiduciary incorporate various cybersecurity-related provisions in its agreement with a service provider. A contract should include terms that require ongoing compliance with applicable cybersecurity and information security standards and should not include provisions that limit a service provider’s responsibility for security breaches. A fiduciary should also attempt to include terms that require:


  • An annual, third-party audit to determine compliance with policies and procedures, with the plan fiduciary reserving the right to review the audit results
  • Confidentiality and clear provisions on the use and sharing of information, including clear limitations on the use of such information
  • Notification of data breaches and, in the event of a breach, the service provider’s cooperation to investigate and reasonably address the cause of the breach
  • Compliance with records retention and destruction, privacy and information security laws
  • Insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and fidelity bond/blanket crime coverage


Plan sponsors should discuss these issues with their legal advisors. 

Service Providers

The second part of the DOL guidance provides best practices for service providers to ensure they have a strong cybersecurity infrastructure. Service providers should have a formal, well documented cybersecurity program that protects their IT infrastructure and retirement data from both internal and external threats. A service provider should institute formal and effective policy and procedures requiring annual risk assessments and review by a third-party auditor. As the DOL notes, risk assessments for assets or data stored in a cloud environment or managed by a third-party service provider are crucial.


According to the DOL, for a cybersecurity program to be effective and for accountability, it must be managed at the senior executive level, such as by a chief information security officer (CISO). Additionally, service provider users/employees should be subject to strong access control procedures to make sure that only the appropriate individuals have the authorization to access sensitive retirement plan information. This would allow a service provider to confirm that its activity is consistent with its cybersecurity program and that any unauthorized use or access of confidential data is detected. The DOL stresses how employees are often an organization’s weakest link for cybersecurity. To minimize the impact of the human element in potential security breaches, a service provider’s cybersecurity program should include annual cyber awareness training for employees. The guidance also includes various recommendations for a secure system development lifecycle program, a business resilience program, encryption of sensitive data while stored and in transit, technical controls (i.e., security solutions through mechanisms in the hardware, software, or firmware of a system) in accordance with best security practices and appropriate responses to any past cybersecurity breaches. Such controls should be consistent with the service provider’s cybersecurity program and should detect all access into the environment including unauthorized use of access of the confidential plan and/or plan participant data and other sensitive personal identifying information.


Tips for Plan Participants

The final part of the DOL’s April 2021 guidance offers plan participants and beneficiaries tips to reduce the risk of fraud and loss when managing their retirement accounts online. These online security tips, which remain relevant today, include:

Plan sponsors and fiduciaries should share these tips with plan participants and emphasize a participant’s role in safeguarding their retirement benefits and personal information.



Since the DOL first issued its guidance, it has expanded its focus to health and welfare plans—reaffirming that these cybersecurity best practices apply to all types of ERISA benefit plans. This puts plan sponsors and plan fiduciaries under mounting pressure to produce all cybersecurity program policies, procedures and guidelines that relate to the plan, whether applied by the plan sponsor or by a service provider. The DOL also continues to request detailed documentation of actions taken by the plan’s fiduciaries and service providers regarding their cybersecurity practices. As cybercrime continues to evolve and increase, with an estimated cost of $10.5 trillion globally by 2025, or 15% growth year over year,4 the DOL will likely continue its effort to oversee these practices and offer further guidance and regulations.


Morgan Stanley at Work empowers companies and employees wherever they are on their unique financial journey, and we’re here to help companies navigate today’s financial services landscape and latest legislative changes with confidence.