Cybersecurity: A Fiduciary Duty for Plan Sponsors

When you sponsor a retirement plan, it is tempting to assume your service providers have everything covered. However, under the Employee Retirement Income Security Act (ERISA), selecting and monitoring these vendors is a fiduciary act. Because retirement accounts house highly sensitive personal data and significant financial assets, they are prime targets for cybercriminals—especially at small to midsize businesses with leaner defenses.The Department of Labor (DOL) explicitly obligates plan sponsors to mitigate cybersecurity threats. Ultimately, accountability cannot be outsourced: as a plan sponsor, you can be held personally liable for a breach or a vendor’s security shortcomings. 

Action Plan: Cybersecurity Oversight

The Department of Labor (DOL) obligates retirement plan sponsors to mitigate cybersecurity threats to plan assets and data, and this includes deep due diligence on vendor security protocols. Specifically, it is essential to adhere to the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) cybersecurity guidance, which has these three parts: best practices for plan sponsors for plan sponsors, strong security protocols for service providers, and online security tips for distribution to retirement plan participants. 

You do not need a degree in cybersecurity to protect the company retirement plan.  Fulfilling your fiduciary duty involves taking tangible steps. For example, attorneys at Morgan Lewis recommend these types of cybersecurity oversight actions for retirement plan fiduciaries: 

• Vet and Monitor Vendors Rigorously: Do not rely on handshake agreements. Rigorously audit the security practices, certifications, and SOC reports of recordkeepers, TPAs, and payroll companies.Carefully document all related discussions and actions.
• Enforce Legal Contracts: Ensure service contracts include clearly defined cybersecurity requirements, data privacy agreements, and mandatory notification procedures for security incidents.
• Train Employees: Establish ongoing training to help staff recognize phishing attempts, practice strong password hygiene, and safely handle plan data.Monitor vendors for their related practices too.
• Maintain a Thorough Response Plan: Document clear, actionable procedures to minimize damage if a breach occurs. This demonstrates a proactive commitment to regulatory standards during a DOL audit or investigation.

Good To Understand: Social Engineering Attack?

As cybersecurity threats continue to evolve, it’s important for business owners and retirement plan sponsors to stay on top of the various ways that criminals can attack. For example, phishing is just one form of a broader category of a cybersecurity threat known as social engineering. As the Cybersecurity & Infrastructure Security Agency (CISA) explains:

• In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. 

• An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network. 

• If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

• Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. 

Free Cybersecurity Resources for Business Owners

Understandably, small businesses face some of the largest challenges related to cybersecurity for the business and retirement plan, since they typically are stretched thin and have fewer resources to put toward cybersecurity efforts. Many governmental, nonprofit and educational institutions provide business owners with free resources to help address cybersecurity threats. For example, the National Security Administration provides NSA’s Top Ten Cybersecurity Mitigation Strategies, which organize actions down around five aspects of cybersecurity:

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

Cautioning that “As the cybersecurity space evolves, plan sponsors should be aware that they could be held liable if they do not follow prudent processes to safeguard plan data,” the SPARK Institute (Society of Professional Asset Managers and Recordkeepers) shares this compendium of helpful information for retirement plan sponsors to use in collaboration with their service providers: Cybersecurity & Fraud Resources – SPARK Institute.

Two Key Layers of Protection: Fiduciary & Cyber Liability Insurance

Because the Department of Labor holds plan sponsors personally liable for administrative oversight of the plan and views data breaches as fiduciary failures, comprehensive protection requires an efficient three-prong approach. However, securing your retirement plan shouldn’t require navigating multiple brokers, hidden fees, and disconnected insurance policies.

Colonial Surety Company solves the complex puzzle of ERISA compliance and protection by putting all three essential coverages into one seamless, affordable bundle:

1. ERISA Fidelity Bond: Fulfills your federal mandate to protect plan funds from dishonesty. (Colonial Surety is a direct, Treasury-Listed bond writer).
2. Fiduciary Liability Insurance (FLI): Shields your personal assets, covering up to $1,000,000 in legal defense costs and penalties for administrative errors or oversight omissions.
3. Complimentary Cyber Liability Insurance: Provides vital protection for the plan and company against regulatory actions following a data breach and directly addresses the DOL’s response plan recommendations.

Protect your retirement plan, your business, and your personal assets in one smart move.

👉 Get Your Instant Quote & Download Your Proof of Coverage in Minutes

Why Choose Colonial Surety Company?

• Trusted & Reliable: U.S. Treasury Listed, Rated “A” (Excellent) by A.M. Best Company, and in business since 1930.
• Direct & Digital: Skip the middleman. Quote, purchase, and download your full protection package entirely online in minutes.
• The Carrier, Not a Broker: No agent markups, no waiting for a callback, and no unnecessary fees.

National Reach, Local Support: Licensed nationwide with a knowledgeable, US-based customer service team ready to assist you.