Department of Labor’s Cybersecurity Guidance

October 14, 2021

Holistic risk management and insurance considerations for plan sponsors and fiduciaries

Retirement accounts are attractive targets for cybercriminals. Plan sponsors play an important role in ensuring that participant accounts are secure against cyber theft. The Department of Labor (DOL) recently issued Employee Benefits Security Administration (EBSA) guidance for plan sponsors, recordkeepers, and participants covering best practices to reduce the risk of account theft. As retirement plan specialists, it's our obligation to ensure that our clients are aware of this guidance and insist that their recordkeeper incorporates the best practices listed in the DOL guidelines.

EBSA guidance

Plan sponsors are given tips for hiring service providers with strong cybersecurity practices.

Conduct provider due diligence. The DOL advises plan sponsors to ask their recordkeeper a number of questions to ensure that participant accounts are safeguarded. These include specific questions concerning the recordkeeper’s adherence to industry standards, its handling of past cyber breaches, and its commitment to use the best technology. We would add to that list an inquiry into whether the vendor provides a written account security guarantee—a common offering that would reimburse participants who are innocent victims of retirement account theft.

Be thoughtful about passwords. The guidance includes online security tips for plan participants, who are advised to use strong, unique passwords for accounts, never share passwords, and use two-factor authentication to access their account. Plan sponsors are urged to share the DOL’s online security tips with participants, either directly or through the plan’s recordkeeper.

Marsh McLennan Agency is ready to help

Beyond your responsibilities as a plan sponsor and incorporating this EBSA guidance, being aware of cyber security risk management best practices for your organization at-large is pivotal. Providing companies like yours with recommendations and resources is a cornerstone of Marsh McLennan Agency’s (MMA) holistic approach to the topic. We are uniquely positioned to help you meet your fiduciary obligations in this area.

  • We are objective and unbiased—we are not plan recordkeepers nor do we house participant records.
  • We draw upon Marsh McLennan Agency’s cyber expertise to help you assess your recordkeeper’s cyber security practices.
  • Our experts can evaluate your firm’s cyber risks and help mitigate potential loss.

Our Cyber Center of Excellence provides unparalleled resources and expertise to assist clients in better understanding the EBSA guidance while combining the superior internal cyber security environment managed globally within our Marsh family of companies, bringing an added value of comfort in our client relationships.

Our cyber risk management framework helps you:

  • Understand your specific network environment risks, vulnerability, and threats,
  • Measure your risks utilizing our proprietary analytics and loss mitigation resources, and
  • Manage your risk through contract and vendor risk management best practices and risk transfer solutions, education, coaching programs, response planning, and performance improvement reviews.

Plus, MMA takes a comprehensive approach to helping you manage cyber risk, taking your entire enterprise— operations, compliance, legal, finance, communications, and IT—into consideration. After all, everyone in your company has a stake in keeping corporate data and customer information as secure as possible.


To learn more, talk with your Marsh McLennan Agency representative.