Contributing Author: Kristine Custodio Suero, Advanced Certified Paralegal

As a plan sponsor, you're responsible for safeguarding the retirement and health benefit information of your employees. With more benefit-related activities occurring online, cybersecurity is no longer just a tech issue, it's a fiduciary responsibility.

Whether you sponsor a 401(k), health, or pension plan, the U.S. Department of Labor (DOL) expects you to take steps to protect sensitive participant data and plan assets.

This post discusses best practices and what you need to know and do to meet your responsibilities.

Why Cybersecurity Matters for Benefit Plans:

• Employee benefit plans store valuable personal information and hold millions of dollars in assets (sometimes billions).
• Cybercriminals target this information for identity theft, fraud, and unauthorized distributions.
• As a fiduciary, you must act prudently to protect plan assets and participant data under ERISA (Employee Retirement Income Security Act).

According to the DOL, these cybersecurity expectations apply to all ERISA-covered plans—not just retirement plans, but also health and welfare plans.

3 Things Every Plan Sponsor Should Do:

1. Vet Your Service Providers

Most plans use vendors (like recordkeepers, TPAs, and benefits platforms) to manage data and transactions. Make sure your vendors take cybersecurity seriously.

• Ask about their security policies and certifications (e.g., SOC 2, ISO 27001).
• Request third-party audit reports and follow up on any findings.
• Confirm they have cyber liability insurance to cover potential breaches.

2. Include Cybersecurity in Contracts

A strong vendor contract protects your plan. Be sure to include:

• Requirements for annual security audits
• Confidentiality provisions for how data is handled
• A clause requiring timely notification if there's a data breach
• Compliance with laws and best practices, including data encryption and access controls 

3. Follow DOL's Best Practices

The DOL recommends that plan sponsors and vendors implement these cybersecurity practices (DOL Guidance):

• A formal cybersecurity program
• Regular risk assessments
• Security training for all staff
• Use of multi-factor authentication (MFA) and strong passwords
• Monitoring systems to detect threats
• Incident response plans to manage breaches
• Encryption of data stored and shared

Help Protect Your Employees

Educate your participants with these simple online safety tips:

• Register for and monitor their accounts
• Use unique, complex passwords and change them regularly
• Enable MFA for an extra layer of protection
• Keep contact info updated with the plan administrator
• Avoid clicking suspicious links or emails 

Final Thoughts: Take Action Now

As a plan sponsor, taking steps to secure your plan data isn't optional, it's part of your legal duty to act in your participants' best interests.

Here's how to get started:

• Review your vendor contracts for cybersecurity language
• Request and review audit reports from your service providers
• Implement basic security practices for your internal team
• Educate your participants about protecting their accounts
• Document your efforts as part of fiduciary oversight

Cybersecurity may seem complex, but it's manageable and essential. Taking the right steps today helps protect your employees and your organization from tomorrow's risks.

ERISA compliance is complex, but our experienced attorneys can help you navigate these rules and regulations to avoid costly penalties and participant complaints. Contact Schechter Benefits Law Group today to ensure your employee benefit plans meet all legal requirements and that you're doing all you can to fulfill your legal responsibilities.

*Nothing stated herein is to be construed as legal or tax advice and shall not form any attorney-client relationship. Each individual situation is unique. Please contact us and speak with one of our attorneys regarding your individual situation.