Employee Benefits Security Administrations Cybersecurity Guidance Part 3: Online Cybersecurity Tips

Part three of a three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

In April 2021, the Department of Labor’s (DOL) Employee Benefits Security Administrations (EBSA) announced cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act (ERISA) of 1974. The guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants are provided under three forms:

  1. Tips for hiring a service provider – To help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices as required by ERISA

  2. Cybersecurity program best practices – To help plan fiduciaries and record-keepers in their responsibilities for managing cybersecurity risks

  3. Online security tips – To help participants and beneficiaries reduce the risk of fraud and loss when checking their retirement accounts online


Online security tips

The DOL’s third and final piece of guidance, “online security tips,” is designed to help retirement account participants and beneficiaries reduce the risk of fraud and loss when checking their accounts online. These are basic security tips, fundamentals that should be employed by everyone if at all possible.

  1. Register, set up and routinely monitor your online account. If you don’t register and set up your online account, you run the risk that someone else will. Being responsible for your accounts also includes logging in regularly to review activity. If you find a suspicious entry, alert your sponsor and report the activity to the appropriate authorities (see #9). As well, protect yourself from identity theft and unauthorized access by using strong, unique passwords and multifactor authentication.

  2. Use strong, unique passwords. The DOL guidance issued the following advice for using strong passwords:
    • Don’t use dictionary words.
    • Use letters (both upper and lower case), numbers, and special characters.
    • Don’t use letters and numbers in the sequence (no “abc”, “567”, etc.).
    • Use 14 or more characters.
    • Don’t write passwords down.
    • Consider using a secure password manager to help create and track passwords.
    • Change passwords every 120 days, or if there’s a security breach.
    • Don’t share, reuse, or repeat passwords.

    Not reusing or repeating passwords can be difficult. How are you supposed to remember a different password for each account? But if you reuse and repeat passwords for all your accounts and one of those accounts is compromised, the attacker potentially has access to every account where that password is used. Hint: Consider using a secure password manager (“f” above). Also, multi-factor authentication helps mitigate this risk.

  3. Use multifactor authentication. Multi-factor authentication (MFA), also called “two-factor authentication,” requires a second credential to verify your identity—for example, entering a code sent in real-time by text message or email. In the event your password is compromised, MFA could be the last layer of defense to protect your account from unauthorized access. If you receive an unsolicited request to verify your access, it likely means your password has been compromised; do not authorize access and change your password immediately. Only respond to requests that you initiate.

  4. Keep personal contact information current. Update your contact information when it changes, so you can be reached if there’s a problem. Select multiple communications options.

  5. Close or delete unused accounts. Closing and deleting unnecessary or inactive accounts serve to reduce your online presence, and therefore, the risk that your accounts will be compromised. This might appear to contradict the advice of #1 above, but if an account is disabled, you should still be able to request notifications of any activity. You will also be notified if your account information is changed or your account is reopened, which could indicate your identity has been stolen.

  6. Be wary of free Wi-Fi. Public, open Wi-Fi can be a haven for criminals; unprotected Wi-Fi can allow direct access to your computer. There, cybercriminals can monitor your activity and steal your information. It is best to stick to trusted home and business networks, but if you use public Wi-Fi, protect yourself by using a virtual private network (VPN) to establish secure sessions.

  7. Use anti-virus software. Use it and keep it updated; it’s that simple. There are many trustworthy free and low-cost options.

  8. Beware of phishing attacks. One of the most common ways criminals steal your information or gain access to your account is through phishing or fake emails. Phishing attacks aim to gain access to your accounts by tricking you into sharing your passwords, account numbers, and sensitive information. A phishing message may look like it comes from a trusted organization, to lure you to click on a dangerous link or pass along confidential information.

  9. Common warning signs of phishing attacks include:

    • A text message or email you didn’t expect or that comes from a person or service you don’t know or use
    • Spelling errors or poor grammar
    • Mismatched links: a seemingly legitimate link sends you to an unexpected address. Often, but not always, you can spot a mismatched link by hovering your mouse over the link without clicking on it, so that your browser displays the actual destination.
    • Shortened or odd links or addresses
    • An email request for your account number or personal information. Legitimate providers should never send you emails or texts asking for your password, account number, personal information, or answers to security questions.
    • Offers or messages that seem too good to be true, express great urgency, or are aggressive and scary
    • Strange or mismatched sender addresses
    • Anything else that makes you feel uneasy

  10. Report identity theft and cybersecurity incidents. The FBI and the Department of Homeland Security have set up sites for reporting cybersecurity incidents:


Communicating these tips to your employees, participants, and beneficiaries is critical to protecting personal identities and retirement plan assets. As such, we recommend establishing a security awareness and training program to communicate regularly with employees, participants, beneficiaries, and all other relevant audiences on security best practices and evolving threats.

For more information on DOL’s security tips, educating your employees on cybersecurity, or implementing cybersecurity best practices, contact HBK Risk Advisory Services at 724-934-5300, or by email at mschiavone@hbkcpa.com.

Use the following links to read part one and part two.

About the Author(s)
Matthew joined HBK in early 2017 after spending four years working for Kearney and Company in Washington, DC as a consultant to the Department of Defense (DoD). Matt has thirteen years of extensive internal control experience within information technology and the financial reporting processes. He leads HBK’s Risk Advisory Services where he assists clients with System and Organization (SOC) 1 and SOC 2 readiness assessment and examination. Additionally, he helps clients assess the design, implementation, and effectiveness of cybersecurity controls and their ability to achieve industry best practices and security frameworks such as ISO 27001. His client base includes Software-as-a-Service organizations, cybersecurity and incident response service organizations, and service organizations supporting the healthcare and financial services industries.
Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.

RECOMMENDED ARTICLES