Our Solutions
Our workplace financial solutions deliver powerful tools, guidance and education to help your company and your employees thrive.
Equity Solutions for Private Companies

Equity Administration

Liquidity

409A Valuation

View More Solutions
Equity Solutions for Public Companies

Equity Administration

Financial Reporting

Global Intelligence

View More Solutions
Retirement

Defined Contribution Consulting

Small Business Retirement Plans

Fiduciary Investment Oversight
Deferred Compensation

Recordkeeping and Plan Design

Portfolio Construction

Wealth Management Services
Financial Wellness

Education

Financial Guidance

Perks
Saving and Giving

Charitable Giving

Education Financing
Executive Services

Equity Compensation Services

Equity Award Analysis

Specialized Solutions
Your Business
We deliver financial benefit solutions tailored to the needs of your workplace—from startup to enterprise, venture capital to law firm.
Private Company

Grow with confidence and build a culture of excellence with solutions tailored to private companies.

Small Business

Startup

Enterprise
Public Company

Find the right financial benefit solution—one that fits your company’s needs and builds the confidence of every employee.

Public Company
Strategic Partner

Discover equity solutions that adapt to the diverse needs of your clients or portfolio companies.

Investor

Law Firm

Other Partners
Why Us
Explore our story, meet the people behind our solutions and discover what sets Morgan Stanley at Work apart.
Our Advantage

Learn how our offering can help your company and employees thrive at each stage of the financial journey.

Advantages for Your Company

Advantages for Your Employees
About Us

Meet our team, learn what drives us and discover the power of Morgan Stanley.

Our Story

Our People

The Power of Morgan Stanley
Thrive

Learn more about our Thrive conference. Explore regional forums, and access insights from previous events.

Thrive 2025

Regional Forums
Insights

Insights
Discover ideas, tips and best practices to evolve your workplace and your benefits.

View All Insights

Trending Topics

Financial Wellness
Explore strategies for developing a more financially confident workforce, to help your employees at any stage of their financial journey.

View topic

Invested at Work Podcast
Our podcast tackles the complex world of workplace financial benefits to help companies empower their employees. Listen in.

View topic

Equity Compensation
Discover fresh ideas and unique perspectives on liquidity and equity compensation strategies to help motivate your employees and fuel your company’s next stage.

View topic

Diversity & Inclusion
A diverse workforce has diverse needs—learn how to support your employees across a variety of backgrounds.

View topic

Latest Insights

Retirement Planning

Retirement Planning: Why the Stakes Are Higher for Women

Financial Education

State of the Workplace 2024 Financial Benefits Study

Liquidity Trends Report 2023

View All Insights
Get In Touch

DOL Cybersecurity Guidance for Plan Sponsors

The DOL’s cybersecurity guidance for plan sponsors remain as relevant as ever. Discover ways to enhance your compliance.

When it comes to providing a retirement plan for your employees, staying compliant with Department of Labor (DOL) guidance is one of the most important responsibilities you take on.

In fact, in a recent survey, Morgan Stanley at Work discovered that 93% of plan sponsors choose to work with a financial advisor specifically for assistance with plan compliance and regulatory oversight.¹

One prime area of focus remains, compliance with evolving cybersecurity rules. In 2021, when the DOL publicized guidance around qualified retirement plan cybersecurity practices, it noted that qualified retirement plans are prime targets for cyber attackers: it’s estimated that there are approximately 140 million participants in ERISA-governed retirement plans, holding assets of about $9.3 trillion.² Additionally, retirement plans maintain significant amounts of highly sensitive personal and financial data (think: Social security numbers, employment information and home addresses).

As a result, without sufficient protections and protocols in place, participants and assets may be at risk from cybersecurity threats. The DOL’s 2021 guidance set out best practices to help plan sponsors, plan fiduciaries, service providers and plan participants maintain a prudent cybersecurity program within the retirement plan framework. Since then, the DOL has heightened its focus on cybersecurity issues in its ERISA investigations.³ This makes it increasingly important for plan fiduciaries to strongly consider implementing the guidance to further enhance their cybersecurity infrastructure.

When it comes to cybersecurity, if you haven’t already, now is the time to start implementing information security protection, protocols and prepare for potential DOL enforcement.

In this article, we decode the guidance and help plan sponsors understand what’s most important to implement to keep your company and employees safe from cyber criminals.

The DOL’s cybersecurity guidance is divided into three parts:

Plan Sponsors(e.g., plan fiduciaries)

Under ERISA, plan sponsors have a fiduciary duty to prudently select and monitor a plan’s service providers. The first part of the DOL’s cybersecurity guidance addresses how to evaluate a service provider’s cybersecurity practices to effectively satisfy this fiduciary obligation. The guidance recommends that plan fiduciaries carefully review and compare the service providers’ security standards to recognized industry standards and frameworks. It encourages plan sponsors to engage in conversations with a current or prospective service provider about their security policies and procedures, any audit results, past security breaches and whether the service provider has cybersecurity or identify theft insurance.

Additionally, the DOL strongly advises that a plan fiduciary incorporate various cybersecurity-related provisions in its agreement with a service provider. A contract should include terms that require ongoing compliance with applicable cybersecurity and information security standards and should not include provisions that limit a service provider’s responsibility for security breaches. A fiduciary should also attempt to include terms that require:

An annual, third-party audit to determine compliance with policies and procedures, with the plan fiduciary reserving the right to review the audit results
Confidentiality and clear provisions on the use and sharing of information, including clear limitations on the use of such information
Notification of data breaches and, in the event of a breach, the service provider’s cooperation to investigate and reasonably address the cause of the breach
Compliance with records retention and destruction, privacy and information security laws
Insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and fidelity bond/blanket crime coverage

Plan sponsors should discuss these issues with their legal advisors.

Service Providers

The second part of the DOL guidance provides best practices for service providers to ensure they have a strong cybersecurity infrastructure. Service providers should have a formal, well documented cybersecurity program that protects their IT infrastructure and retirement data from both internal and external threats. A service provider should institute formal and effective policy and procedures requiring annual risk assessments and review by a third-party auditor. As the DOL notes, risk assessments for assets or data stored in a cloud environment or managed by a third-party service provider are crucial.

According to the DOL, for a cybersecurity program to be effective and for accountability, it must be managed at the senior executive level, such as by a chief information security officer (CISO). Additionally, service provider users/employees should be subject to strong access control procedures to make sure that only the appropriate individuals have the authorization to access sensitive retirement plan information. This would allow a service provider to confirm that its activity is consistent with its cybersecurity program and that any unauthorized use or access of confidential data is detected. The DOL stresses how employees are often an organization’s weakest link for cybersecurity. To minimize the impact of the human element in potential security breaches, a service provider’s cybersecurity program should include annual cyber awareness training for employees. The guidance also includes various recommendations for a secure system development lifecycle program, a business resilience program, encryption of sensitive data while stored and in transit, technical controls (i.e., security solutions through mechanisms in the hardware, software, or firmware of a system) in accordance with best security practices and appropriate responses to any past cybersecurity breaches. Such controls should be consistent with the service provider’s cybersecurity program and should detect all access into the environment including unauthorized use of access of the confidential plan and/or plan participant data and other sensitive personal identifying information.

Tips for Plan Participants

The final part of the DOL’s April 2021 guidance offers plan participants and beneficiaries tips to reduce the risk of fraud and loss when managing their retirement accounts online. These online security tips, which remain relevant today, include:

Plan sponsors and fiduciaries should share these tips with plan participants and emphasize a participant’s role in safeguarding their retirement benefits and personal information.

Conclusion

Since the DOL first issued its guidance, it has expanded its focus to health and welfare plans—reaffirming that these cybersecurity best practices apply to all types of ERISA benefit plans. This puts plan sponsors and plan fiduciaries under mounting pressure to produce all cybersecurity program policies, procedures and guidelines that relate to the plan, whether applied by the plan sponsor or by a service provider. The DOL also continues to request detailed documentation of actions taken by the plan’s fiduciaries and service providers regarding their cybersecurity practices. As cybercrime continues to evolve and increase, with an estimated cost of $10.5 trillion globally by 2025, or 15% growth year over year,⁴ the DOL will likely continue its effort to oversee these practices and offer further guidance and regulations.

Morgan Stanley at Work empowers companies and employees wherever they are on their unique financial journey, and we’re here to help companies navigate today’s financial services landscape and latest legislative changes with confidence.

This material may provide the addresses of, or contain hyperlinks to, websites. Except to the extent to which the material refers to website material of Morgan Stanley Wealth Management, the firm has not reviewed the linked site. Equally, except to the extent to which the material refers to website material of Morgan Stanley Wealth Management, the firm takes no responsibility for, and makes no representations or warranties whatsoever as to, the data and information contained therein. Such address or hyperlink (including addresses or hyperlinks to website material of Morgan Stanley Wealth Management) is provided solely for your convenience and information and the content of the linked site does not in any way form part of this document. Accessing such website or following such link through the material or the website of the firm shall be at your own risk and we shall have no liability arising out of, or in connection with, any such referenced website. Morgan Stanley Wealth Management is a business of Morgan Stanley Smith Barney LLC.

When Morgan Stanley Smith Barney LLC, its affiliates and Morgan Stanley Financial Advisors and Private Wealth Advisors (collectively, “Morgan Stanley”) provide “investment advice” regarding a retirement or welfare benefit plan account, an individual retirement account or a Coverdell education savings account (“Retirement Account”), Morgan Stanley is a “fiduciary” as those terms are defined under the Employee Retirement Income Security Act of 1974, as amended (“ERISA”), and/or the Internal Revenue Code of 1986 (the “Code”), as applicable. When Morgan Stanley provides investment education, takes orders on an unsolicited basis or otherwise does not provide “investment advice”, Morgan Stanley will not be considered a “fiduciary” under ERISA and/or the Code. For more information regarding Morgan Stanley’s role with respect to a Retirement Account, please visit www.morganstanley.com/disclosures/dol. Tax laws are complex and subject to change. Morgan Stanley does not provide tax or legal advice. Individuals are encouraged to consult their tax and legal advisors (a) before establishing a Retirement Account, and (b) regarding any potential tax, ERISA and related consequences of any investments or other transactions made with respect to a Retirement Account.

Morgan Stanley at Work services are provided by Morgan Stanley Smith Barney LLC, member SIPC, and its affiliates, all wholly owned subsidiaries of Morgan Stanley.

CRC 5648445 05/2023

View Disclosures Hide Disclosures