Skip to content

Cyberthreat: Incident or Nightmare?

Apr 30, 2026
Share

Cybersecurity threats are deepening and spreading, with new tactics emerging every day. Smaller and midsize businesses are increasingly vulnerable, given that they are typically leaner than larger businesses, and wrapped in fewer layers of protection. Whether a cyber security breach is a frustrating disruption, or a nightmare that puts businesses and owners at financial risk, comes down to two words: preparation and protection. That goes doubly for businesses that sponsor ERISA retirement plans…. 

 

SMBs: Digital, Lean and Exposed To Cyber Crime

Cybercrimes are more frequently targeting smaller businesses, prompting Forbes expert, Randy Sadler, to urge preventive measures: “…Cyber incidents that once registered as operational disruptions now behave more like balance-sheet events, capable of straining liquidity, interrupting revenue and creating longer-term financial drag….This shift demands a reassessment of how cyber risk is evaluated, financed and governed.”

 

Why the push on smaller businesses? As Accenture has found: “43% of cyberattacks targeted small businesses, reflecting attackers’ preference for organizations that present fewer defensive barriers while still offering meaningful financial upside.” Indeed, as Sadler further observes: “Cybercriminals are no longer concentrating their efforts on large enterprises; they’re increasingly directing attacks toward small and mid-market businesses. These organizations sit at an uncomfortable intersection of growing digital dependence and comparatively lean security and financial buffers.”

 

While all businesses need to guard against cyber threats, the importance of doing so is magnified for those sponsoring retirement plans, like 401ks. The combination of money and data available in retirement accounts makes them a lucrative target for cybercriminals, and as AARP has reported, older adults are particularly susceptible to digital deceit. Accordingly, retirement plan experts, including those at Watkins Ross, advise retirement plan sponsors to take cybersecurity ever more seriously:  

 

If you’re responsible for managing your company’s 401(k) plan, cybersecurity might not be at the top of your to-do list—but it should be. Retirement plans contain highly sensitive financial and personal data, making them a prime target for cybercriminals. A cybersecurity policy is essential for protecting participant information, ensuring compliance, and most of all, keeping your employees’ hard-earned retirement savings safe. 

 

Carefully Select, Contract With and Manage All Plan Vendors 

Retirement plan leadership at CAPTRRUST point out that in addition to the risks cyber crimes pose to the “largest nest egg” most workers will ever have, cyber breaches come with “reputation and financial health” problems for plan sponsors. Indeed, as fiduciaries, retirement plan sponsors are obligated by the Department of Labor “to mitigate” cybersecurity threats to the plan. Specifically, retirement plan sponsors are required to address the three prongs of the DOL’s cybersecurity guidance. While doing so, Nick Brezinski of CAPTRUST stresses “It’s not just about securing the plan itself….It’s about securing the entire ecosystem, including recordkeepers, third-party administrators, participants, and anyone else with access to plan data.” Cautioning that “fiduciary responsibility itself cannot be outsourced,” leaders at Captrust share these insights related to selecting and monitoring plan service providers: 

 

  • Hiring external experts or service providers does not transfer the risk to that third party. The sponsor still owns the responsibility for securing their data and running the plan’s broader cyber security program. External experts can supplement where internal resources are lacking, but accountability remains with the plan sponsor. 

 

  • It’s crucial to vet vendors rigorously, and confirm that they are complying with stringent security standards. This includes regular reviews and contractual obligations regarding data protection.

 

  • Consider legal contracts to enforce cyber security standards. “It’s not enough to have a handshake agreement,” says Jon Atchison, CAPTRUST senior team lead for governance, risk, and compliance. “Where possible, make an effort to lock down your vendors with data privacy and security agreements.” These agreements legally bind vendors to maintain certain standards, which are essential for ensuring that vendor security practices align with the plan sponsor’s risk management strategies.

 

Protection Is Critical: Fiduciary and Cyber Liability Insurance

Under the high standards of ERISA, even a relatively minor cyber breach is not necessarily “small” for retirement plan sponsors: an incident can result in the sponsor being held personally liable for a fiduciary breach. Attorneys at Morgan Lewis confirm 

active enforcement of DOL cybersecurity protocols, noting that plan sponsors are being requested to provide:

 

    • documents governing the IT systems, a breach response plan, a disaster recovery plan, and copies of system development lifecycle controls (SDLC), if applicable;
    • schedules of systems critical to the maintenance and protection of participant data and assets (including information on data used by the plan, where data resides, systems outsourced to service providers, and file sharing systems);
    • external and internal cybersecurity audit reports, including audits of IT systems (SOC 1 or SOC 2), as well as internal and external (with auditors) communications;
  • existence of cybersecurity insurance coverage;
  • documents mentioning or discussing cybersecurity, including emails and minutes of plan committee or board of trustees/directors meetings where the plan’s cybersecurity readiness was discussed; and
  • documents regarding cybersecurity events about unauthorized access or suspicious activity.

 

Because plan sponsors from small businesses tend to face the biggest hurdles implementing cybersecurity protocols, Colonial Surety Company offers an efficient, affordable and clear solution. For a few dollars a day, plan sponsors can obtain protection for the company, the plan, and themselves, with a Cyber Liability+Fiduciary Liability Insurance package. In addition to providing defense costs and penalty limits up to $1,000,000 for the sponsor, this package addresses numerous DOL recommendations by explicitly covering the plan and the business with: 

  • Expert-led response services following a data breach.
  • Protection from lawsuits and regulatory actions related to the breach
  • Legal services.
  • Computer forensic services.
  • Public relations and crisis management expenses.
  • Notification services.
  • Call Center services.
  • Credit and Identity monitoring 

Business owners: Mitigate threats to the retirement plan–and reduce your personal liabilities before another day goes by. Colonial Surety Company is here to help:

Cyber Liability Insurance+Fiduciary Liability Insurance Here

Colonial Surety Company is rated “A Excellent” by A.M. Best Company, U.S. Treasury listed and in business all across the country. Serving customers since 1930, we are the trusted source for the pension industry to secure ERISA bonds, fiduciary liability insurance and cyber-liability insurance. We help safeguard plan sponsors, pension professionals and financial advisors — and keep their businesses compliant — with pain-free, efficient, and friendly service every time.

Helpful Resources

Cyber for Plan Sponsors
Confused by 3(16), 3(21), and 3(38)? A Plan Sponsor’s Guide

When you sponsor a 401(k), securing expert help is wise—but understanding what you can’t give away…

Apr 20, 2026

Cyber for Plan Sponsors
Federal Saver’s Match: Challenges and Fiduciary Risks

In 2027, the Saver’s Match, a provision in the SECURE 2.0 Act of 2022, becomes applicable….

Apr 17, 2026

Cyber for Plan Sponsors
The EBSA Six: A Fiduciary Shield or a Plaintiff’s Sword?

Leadership at the Employee Benefits Security Administration (EBSA) has proposed a six-point framework for 401(k) fiduciaries…

Apr 23, 2026

Read Our Blog