BLOG: Is Your Retirement Plan Ready for Today’s Cybersecurity Threats?

Practical steps to help protect participants’ data and meet your fiduciary duties.

As a retirement plan sponsor, you are juggling plenty of responsibilities. Investment oversight, fee monitoring, participant education… the list goes on. Now there’s another item on your priority list: cybersecurity.


If you’re thinking “cybersecurity is an IT issue,” you’re not alone. Many plan sponsors assume data protection falls outside their wheelhouse. But when it comes to your 401(k) plan, cybersecurity is very much a fiduciary responsibility, and it’s one that can have serious consequences if you don’t address it properly.

Why cybercriminals target retirement plans

Retirement plans contain exactly the type of information cybercriminals value most. Think about the sensitive information stored in your plan’s database:

• Social Security numbers
• Birthdates
• Salary information
• Account balances
• Beneficiary details

This treasure trove of personal and financial data represents a one-stop shop for identity theft and financial fraud.

The substantial assets held in retirement accounts also make them attractive targets. With the average 401(k) balance continuing to grow, and many accounts holding six-figure sums, the potential payoff for successful cyberattacks keeps increasing.

What the Department of Labor expects

The DOL has made it clear that cybersecurity falls squarely within plan sponsors’ fiduciary duties. The agency’s updated 2024 guidance confirms that all ERISA plans must have appropriate cybersecurity measures in place to protect participants and beneficiaries from cybercrimes.


This means that plan sponsors must exercise the same level of prudent oversight for cybersecurity as they do for investment selection and fee monitoring. Plan sponsor compliance isn’t just checking boxes; it’s demonstrating that you’re taking reasonable steps to protect participant information and plan assets.

Building your cybersecurity foundation

The good news is that effective cybersecurity doesn’t require you to become a technical expert. It does, however, require a systematic approach and attention to key areas that can significantly reduce your risk.

• Protect data. Encrypt participant information and require multi-factor authentication.
• Train employees. Teach them to spot phishing, use strong passwords, and report issues.
• Plan for incidents. Have a response plan to minimize damage and show your commitment to safeguarding participant data.

Monitor service providers carefully

Most plan sponsors rely on recordkeepers, payroll companies, TPAs, and other providers. Since these vendors have access to participant data, their cybersecurity practices directly affect your plan’s exposure to potential risks.

When choosing a vendor, ask specific questions. Check their security measures, certifications, and incident handling. Don’t hesitate to ask the tough questions; your fiduciary duty requires this level of due diligence.

Keep tabs on your providers’ security through regular updates and audit report reviews to help confirm they have proper protections in place. Make sure your service contracts include clearly- defined cybersecurity requirements and detailed notification procedures for any security incidents.

Developing your cybersecurity policy

A well-documented cybersecurity policy provides detailed guidance for employees, demonstrates your commitment to data protection, and can be valuable evidence of prudent fiduciary oversight.

Your cybersecurity policy should include these essential action components:

• Define what constitutes sensitive plan data and how it should be handled.
• Specify who can access plan systems and under what circumstances.
• Outline mandatory cybersecurity training and ongoing education.
• Establish minimum security requirements for all service providers.
• Detail steps to take when a security incident occurs.
• Schedule periodic reviews and security updates.

Creating a culture of cybersecurity awareness

Effective cybersecurity requires buy-in from your entire organization, not just the IT department. Leadership support demonstrates the importance of data protection and helps allocate resources for security initiatives.

Regular communication about cybersecurity threats and best practices helps to promote security awareness.

• Send reminders about common threats.
• Recognize employees who report suspicious activity.
• Update staff on new security measures.

When cybersecurity becomes part of your culture, your potential risks decline significantly.

Taking the next step

Implementing cybersecurity measures and staying current with evolving regulatory requirements may seem daunting, but keep in mind that you don’t have to go it alone. Many plan sponsors find that working with experienced advisors and cybersecurity professionals helps them to develop appropriate protection measures without getting overwhelmed by technical details.

Start by honestly assessing your current cybersecurity practices. Review your existing policies, evaluate your service providers’ security measures, and identify any obvious gaps in protection.