Clark Schaefer
Share this
Department of Labor’s Online Security Tips for Employers

Department of Labor’s Online Security Tips for Employers

Aug 19, 2025

In its ongoing efforts to bolster cybersecurity in ERISA-covered plans, the Department of Labor (DOL) has issued multiple layers of guidance, one of which is a set of Online Security Tips.

At first glance, these tips are clearly for individuals: plan participants and beneficiaries who log in to their retirement or benefit accounts online. The guidance provides basic but important practices to help individuals minimize the risk of fraud, such as enabling two-factor authentication and identifying phishing emails.

So where do employers fit in?

Cybersecurity Awareness

These tips aren’t directed at plan sponsors or fiduciaries, but the DOL, including them in the broader cybersecurity release, implies a clear expectation: you should inform your participants.

In other words, you don’t have to implement the tips, but you should share them with your employees, retirees and others who access benefit systems online.

Reducing Risk in Your Workplace

Informing participants serves two purposes:

  • Reduces risk across the plan by encouraging better participant behavior

  • Reinforces your role as a proactive plan sponsor committed to protecting plan assets and personal data

In today’s threat landscape, phishing, credential theft and account compromise often happen at the individual level. Educating users on basic online safety is a practical way to support comprehensive cybersecurity goals with no extra burden on your IT or HR teams.

Practical Ways to Share Guidance

You don’t need an official campaign. Instead, consider:

  • Including a one-page summary in open enrollment packets

  • Linking to the DOL’s tips in benefits portals

  • Adding a reminder in retirement plan communications

  • Sharing guidance during onboarding or retirement readiness sessions

Why should you share the DOL's Tips?

The Department of Labor’s Online Security Tips may not be for employers, but they’re an opportunity to show you care, create trust, and enhance your ERISA compliance posture. A small effort to share these tips goes a long way in protecting your plan participants and your plan.

Carly Devlin

Shareholder, Chief Information Security Officer
Carly is a highly accomplished professional, currently serving as a Shareholder and the Chief Information Security Officer at Clark Schaefer Hackett. Her primary responsibility is to lead the firm's IT Risk and Cybersecurity consulting practice.
Copyright Clark, Schaefer, Hackett & Co. All content provided is for informational purposes only. Matters discussed are subject to change. For up-to-date information on this subject please contact a Clark, Schaefer, Hackett & Co. professional. Clark, Schaefer, Hackett & Co. will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.
You may also like
see all
Key IT & Cybersecurity Regulations for Community Banks

Key IT & Cybersecurity Regulations for Community Banks

Carly Devlin
Carly Devlin
New Ohio Cybersecurity Law: What Local Governments Need to Know

New Ohio Cybersecurity Law: What Local Governments Need to Know

Carly Devlin
Carly Devlin