ERISA and Employee Benefit Plans: Time to Get Serious About Cybersecurity

In 2021, the United States Department of Labor (DOL) issued guidance for fiduciaries to secure their benefit plans in connection with the Employment Retirement Income Security Act (ERISA). When it comes to private retirement and health plans, participant data and/or account assets must be protected under ERISA. But how are fiduciaries and plan sponsors protecting that data and those assets from threat actors in cyberspace?

While many fiduciaries and plan sponsors have improved their cybersecurity posture over the past few years as compliance regulations and requirements for cybersecurity insurance demanded it, they have neglected to appropriately identify risk and adjust their policies to keep up with the ever-evolving threat landscape. A 2020 Cyber Security Risk Report by Aon found that “organizations often have a false sense of confidence regarding data security, particularly when it comes to risk potentially posed by third-party service providers.” In terms of fiduciaries and plan sponsors, this oversight makes them a liability and exposes them to litigation risk and possible non-coverage if their cybersecurity insurance providers can prove that they have failed to properly safeguard and protect participant data.

Legal Considerations

Qualified plans face the risk of theft of participant assets or data, necessitating a robust cybersecurity program. Under ERISA, judges assess breaches based on procedural prudence, evaluating fiduciaries and plan sponsors’ adherence to cybersecurity measures, particularly in mitigating third-party risks.

All 401(k) plans must adhere to procedural prudence standards, mandating fiduciaries and plan sponsors to exercise care, skill, and diligence akin to prudent professionals in similar circumstances.

With approximately $9.9 trillion in retirement account assets, benefit plans attract threat actors, highlighting the importance of risk assessments for fiduciaries and plan sponsors. These assessments identify threats, evaluate likelihoods, and gauge impacts, informing adjustments to the cybersecurity program.

A 3-Step Cyle of Assessment, Mitigation and Education

1. Assessment and Team Formation

  • Define, document, and assemble a team of stakeholders from key departments such as HR, IT, Finance and Risk Management
  • Consider external assistance for risk assessment and analysis, involving legal counsel or compliance to mitigate legal or compliance exposure.
  • Identify threats across various categories and assess their likelihood and impact to determine overall risk.

2. Policy Review and Gap Analysis

  • Review current cybersecurity policies and procedures to identify internal and third-party vendor gaps.
  • Ensure thorough understanding of data access and security measures, both at rest and in transit.

3. Education and Vigilance

  • Educate staff on cybersecurity threats through regular security awareness training.
  • Conduct phishing simulations and exercises to gauge effectiveness.
  • Implement annual cybersecurity awareness training, incorporating real-world scenarios.

This continuous cycle of assessment, mitigation, and education aims to safeguard plan assets and data effectively.

Cybersecurity Best Practices

Fiduciaries and plan sponsors can improve their cybersecurity posture in addition to assessing, mitigating, and educating themselves.

Develop and Maintain an Incident Response Plan
Security incidents continue to increase, impacting organizational operations and compliance. An Incident Response Plan (IRP) is a living document that organizations use to clarify roles, responsibilities, and procedures for responding to a significant cybersecurity incident. It should be drafted, approved by senior management, disseminated within the organization, and continually updated as incidents or training exercise occur.
Immutable or Offline Encrypted Backups
Real-time monitoring and protection are both necessary, but every fiduciary or plan sponsor should have immutable or offline backups of critical data to recover promptly. Backups should be tested regularly to ensure the availability and integrity of the data. If the backups are only kept online and are mutable, they are a target by ransomware groups and could be the deciding factor between paying a ransom with further disruption and data loss and being able to restore operations quickly and efficiently.
Clearly Documented Policies
  • Data Governance and Classification
  • Business Continuity and Disaster Recovery (Backups and Restores)
  • Asset Management
  • Vulnerability and Patch Management
  • Privacy Policy
  • Encryption (Protecting data transmitted or at rest)
  • Acceptable Use
Two-factor (2FA) and Multi-factor (MFA) Authentication
2FA and MFA are still one some of the best ways to protect your accounts from unauthorized access and compromise, and it should be enabled for all accounts for sites or services used by fiduciaries and plan sponsors. Two-factor or multi-factor authentication adds an extra layer beyond a traditional username and password, and usually involves approvals or codes via apps, text messages, or hardware tokens.
Vendors and Third Parties
Fiduciaries or plan sponsors must not forget about any third-party vendors that may have access to plan assets. Third-party vendors should have a Systems and Organizations Controls 2 (SOC 2) report, which attests that they have an effective cybersecurity program and controls in place to securely access and manage plan data.


In conclusion, the threat landscape of the Employee Retirement Income Security Act (ERISA) and Employee Benefit Plans (EBPs) underscores the critical need for fiduciaries and plan sponsors to prioritize the protection of plan data. The increasing sophistication of cyber threats demands a proactive and holistic cybersecurity strategy, encompassing the three-step cycle of assessment, mitigation and education. By adhering to this approach and implementing key practices such as incident response planning and managing third-party risks diligently, fiduciaries and plan sponsors can maintain a robust cybersecurity program that is up to snuff.

About the Authors

Bryan M. Smith
Bryan M. Smith
Director of IT, Information Systems
Michael S. Bigler
Michael S. Bigler
Senior Manager, Assurance & Advisory


Stay up-to-date with the latest news and information delivered to your inbox.

Subscribe Now