DOL Cybersecurity Inquiries: Is Your Employee Benefit Plan Ready?

If you received a DOL cybersecurity inquiry today regarding your employee benefit plan, could you produce consistent answers and supporting evidence across internal teams and service providers—within 10 business days? 

In 2021, the Department of Labor (DOL) issued its Cybersecurity Program Best Practices. Despite the highly sensitive nature of participant data and increasingly sophisticated cyber threats, many plan sponsors viewed the guidance as advisory rather than operational. Now, DOL cybersecurity inquiries to employee benefit plans are active and intensifying; here is what plan sponsors need to know to navigate these investigations.

Key Takeaways

• DOL cybersecurity investigations of employee benefit plans are active and intensifying. As much as 40% of an information request may be focused exclusively on cybersecurity.
• Plan sponsors may have as few as 10 business days to respond to a DOL information request, making proactive preparation far less disruptive than a deadline-driven scramble.
• EisnerAmper helps plan sponsors establish a defensible cybersecurity baseline, assess service provider risk, and organize documentation before a DOL inquiry arrives.

Why Plan Sponsors Should Act Now

Regulatory expectations have shifted from guidance to proof. The DOL now asks for written programs, evidence of testing, and vendor oversight documentation. Plan sponsors who wait may face two problems: a short response window and difficulty gathering defensible evidence across multiple service providers.

Employee benefit plans operate in vendor-heavy environments; this is even harder. Recordkeepers, custodians, payroll and HRIS systems, third-party administrators, and other vendors often have overlapping access, making it difficult to explain “who can access what.” Without a formal data-flow inventory, that question has no clear answer. If an incident does occur, the consequences may extend beyond the incident response, resulting in response, participant communications, potential litigation, remediation costs, and regulator questions about preparedness and oversight. To overcome such obstacles, plan sponsors should document programs, test controls, and establish clear vendor evidence to act proactively.

What the DOL Is Actually Asking: A Sample of Recent Information Requests

The following sample questions are drawn from a recent DOL information request and represent approximately 40% of the total questions received.

Written Program and Governance

1. Provide the plan sponsor’s written cybersecurity program, which includes procedures for identifying and assessing cybersecurity threats and risks, securing the Plan from attempted intrusions, responding to incursions, and the recovery plan.

INSIGHT: Many plan sponsors do not have such a document. Without one, it’s extremely difficult to demonstrate that plan management has clear standards for protecting information assets, managing cybersecurity risk, and maintaining compliance across plan operations.

2. Cybersecurity Liability Policy and related documents, if applicable.

INSIGHT: Although not required, this is recommended. This is different from a Fidelity Bond or Fiduciary Liability Policy.

3. Documents sufficient to describe the plan sponsor’s acceptable use policy regarding Plan participant data.

INSIGHT: Without a clearly defined acceptable use policy, plan data can be accessed, shared, or stored in ways that bypass security controls (e.g., via personal email, unapproved file sharing, or screenshots). This creates data leakage risk and makes it hard to demonstrate “minimum necessary” access during a DOL review.

Risk Assessment and Third-Party Assurance

4. Documentation of any internally conducted assessment of cybersecurity controls (risks, threats, or vulnerabilities), including any reports created relating to the assessment.

INSIGHT: If no risk or control assessment has been performed recently, the plan may be operating with unknown vulnerabilities. The DOL will likely view the absence of documented risk identification, prioritization, and remediation tracking as a governance gap—even if technical controls exist.

5. Documentation of any third-party audit of cybersecurity controls, including any reports created and any recommendations made by the third party.

INSIGHT: Third-party assurance (e.g., Service Organization Control (SOC) reports, penetration testing, independent assessments) provides stronger evidence than internal reviews alone. If assurance is missing, limited in scope, or exceptions are unresolved, plan sponsors may struggle to demonstrate that controls were independently validated and findings were addressed in a timely manner.

Access Controls and Identity Verification

6. Documents sufficient to show the identity of plan sponsor personnel with access to or responsibility for the security of Plan data, including the reason for, and extent of their access.

INSIGHT: Unclear ownership and undocumented access rights are common findings. If the plan sponsor cannot quickly explain who has access, why they have it, and how access is reviewed/removed, there is an elevated risk of inappropriate access and insider misuse.

7. Documents sufficient to describe Password protocols for participant Plan accounts, including the number and type of characters, the frequency with which they can be changed, and the complexity required.

INSIGHT: Weak password standards increase the likelihood of account takeover through credential stuffing and brute-force attacks. The DOL may expect strong password configuration, lockout thresholds, monitoring suspicious logins, and identification of the use of compromised credentials.

8. Documents sufficient to describe the authentication methods employed by the Plan service providers to verify participant identity (i.e., multi-factor authentication (MFA), biometric authentication, token-based authentication).

INSIGHT: If service providers do not use strong participant identity verification (especially MFA), a single compromised credential can lead to fraudulent distributions or data exposure. Plan sponsors may be asked to show that authentication requirements are contractually required, monitored, and periodically validated.

9. Documents sufficient to describe password protocols for plan sponsor portal access, including the number and type of characters, the frequency with which it can be changed, and the complexity required.

INSIGHT: Plan sponsor portals typically grant elevated permissions (e.g., payroll feeds, eligibility changes, approvals), making them high-value targets. Plan sponsors should be prepared to show password configuration, administrative safeguards, and how exceptions are handled.

10. Documents sufficient to describe the authentication methods employed by the Plan service providers to verify plan sponsor personnel identity (i.e., multi-factor authentication, biometric authentication, token-based authentication).

INSIGHT: If MFA is not enforced for plan sponsor users, compromised credentials can allow attackers to access plan administration functions. The DOL may look for evidence that MFA is enabled, required for all privileged actions, and supported by monitoring, conditional access, and periodic access reviews.

Data Storage and Encryption

11. Documents sufficient to demonstrate where and how Plan data is stored (stored in the cloud, maintained by a third party, etc.).

INSIGHT: Many plan sponsors cannot quickly map where plan data resides (recordkeeper, HRIS, payroll, shared drives, email, cloud storage) or how it flows between parties. Without a data inventory, unprotected copies, unclear retention, and missed breach notifications become real risks.

12. Documents sufficient to describe the policies or guidelines for encryption to protect all sensitive information transmitted, stored, or in transit.

INSIGHT: If encryption requirements are unclear or inconsistently applied, sensitive participant data may be exposed through email, file transfers, backups, or portable media. The DOL may expect documented encryption standards, key management practices, and confirmation that vendors apply equivalent protections.

13. Documents sufficient to describe policies for handling portable devices (laptops, phones, thumb drives, CDs/DVD’s) that contain Plan data, including participant data.

INSIGHT: Portable devices are a common source of data loss. Without controls such as full-disk encryption, mobile device management, secure configuration standards, and restrictions on removable media, sensitive data can be unintentionally exposed. The DOL may expect evidence of remote wipe capability and procedures for lost/stolen devices.

Incident History and Vendor Oversight

14. A brief narrative describing any past cybersecurity breaches (i.e., malware, ransomware, phishing, or other incursion) involving the Plan and its participants.

INSIGHT: Repeat or unresolved incidents can indicate control weaknesses.  Plan sponsors should be prepared for follow-up questions on notification, remediation, and whether service providers were implicated.

15. Documents sufficient to describe the cybersecurity policies and procedures of any service provider handling Plan data, including service agreements and other contracts.

INSIGHT: Vendor oversight is often the biggest gap. If contracts do not clearly define security requirements (e.g., MFA, encryption, incident notification timelines, audit rights, subcontractor controls) and the plan sponsor does not collect ongoing assurance (SOC reports, questionnaires, metrics), risk is effectively outsourced without governance.

Training and Participant Education

16. Documentation of periodic employee cybersecurity awareness training.

INSIGHT: Human error remains a primary driver of phishing and business email compromise. If training is informal, infrequent, or not tracked, it is difficult to demonstrate an effective security awareness program. The DOL may expect evidence of periodic training, phishing simulations (where used), completion rates, and role-based training for privileged users.

17. Copies of any documents distributed to plan participants encouraging cybersecurity awareness.

INSIGHT: Participant education reduces the risk of fraud from account takeover, social engineering, and fraudulent distribution requests. Regulators may view the absence of participant-facing guidance as a gap in program completeness.

How EisnerAmper Helps Plan Sponsors Facing a DOL Cybersecurity Inquiry

EisnerAmper helps plan sponsors establish a defensible baseline, organize documentation, and identify practical remediation steps, enabling them to respond with confidence rather than urgency.

Our cybersecurity assessment aligns with the DOL’s Cybersecurity Guidance, AICPA consulting standards, and other relevant legal and industry frameworks. The result is clear insight into your risk exposure and roadmap to strengthen controls before a DOL “love letter” arrives. Contact us today to begin your DOL cybersecurity readiness.