Skip to content

Cybersecurity: Very Much A Fiduciary Responsibility

Feb 19, 2026
Share

When you sponsor a retirement plan, it can be very tempting to trust that everybody else involved is always on top of everything. That’s a risky approach, however, because even with the greatest service providers in town, you as the sponsor retain oversight obligations. In fact, under the high standards of the Employee Retirement Income Security Act (ERISA), your selection of providers for the plan is in itself a fiduciary act. Bottom line: you can be held personally responsible for their mistakes—-even shortcomings related to the plan’s cybersecurity. Read on for important insights about protecting the plan and yourself. 

What Does Prudent Oversight for Cybersecurity Look Like?

At Adcock Financial Group, Brian Adcock urges retirement plan sponsors to take their oversight responsibilities seriously, and in doing so, not to overlook cybersecurity: “Many plan sponsors assume data protection falls outside their wheelhouse. But when it comes to your 401(k) plan, cybersecurity is very much a fiduciary responsibility, and it’s one that can have serious consequences if you don’t address it properly.” For perspective, Adcock reminds us that literally everything cyber criminals are after (i.e. social security numbers, birthdates, account balances and beneficiary details) can be found in retirement accounts. Accordingly, he advises “exercising the same level of prudent oversight for cybersecurity” as we ideally are already doing related to investment selection, fee monitoring and participant communications. 

Fortunately, there are reasonable and tangible action steps retirement plan sponsors can take toward the protection of participant information and plan assets, and a degree in cybersecurity is not required. Adcock suggests that plan sponsors can significantly reduce their cybersecurity risks by taking actions like these: 

    • Protect data. Encrypt participant information and require multi-factor authentication.
    • Train employees. Teach them to spot phishing, use strong passwords, and report issues.
    • Plan for incidents. Have a response plan to minimize damage and show your commitment to safeguarding participant data.
  • Monitor service providers carefully. Most plan sponsors rely on recordkeepers, payroll companies, TPAs, and other providers. Since these vendors have access to participant data, their cybersecurity practices directly affect your plan’s exposure to potential risks.
  • When choosing a vendor, ask specific questions. Check their security measures, certifications, and incident handling. Don’t hesitate to ask the tough questions; your fiduciary duty requires this level of due diligence.
  • Keep tabs on your providers’ security through regular updates and audit report reviews to help confirm they have proper protections in place. Make sure your service contracts include clearly- defined cybersecurity requirements and detailed notification procedures for any security incidents.

Good To Know: The Department of Labor and Cybersecurity?

Yes, The Department of Labor (DOL) obligates retirement plan sponsors to mitigate cybersecurity threats to plan assets and data. Toward that end, the DOL provides these best practices specifically for plan sponsors. Additionally, plan sponsors must ensure that all service providers use strong security protocols. The DOL also provides these online security tips for distribution to retirement plan participants. 

Affordable Protection For Retirement Plan Sponsors

When it comes to cybersecurity, even a minor incident can spiral into a bigger problem for plan sponsors.  As fiduciaries, sponsors can be held personally liable for a breach, such as failure to adequately mitigate cyber threats to the plan. Fiduciary liability insurance is the only coverage that safeguards retirement plan sponsors personally, providing defense in the face of  costly and disruptive ERISA allegations. 

Colonial Surety Company makes fiduciary liability insurance affordable for plan sponsors with businesses of every size, and for added value and protection, includes cyber liability insurance at no extra cost. For a few dollars a day, plan sponsors can obtain protection for the company, the plan, and themselves, with this Cyber Liability+ Fiduciary Liability Insurance package.

In addition to providing defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan,  Cyber Liability+Fiduciary Liability Insurance from Colonial Surety Company addresses numerous DOL recommendations by explicitly covering the plan and the business, and including: 

  • Expert-led response services following a data breach.
  • Protection from lawsuits and regulatory actions related to the breach
  • Legal services.
  • Computer forensic services.
  • Public relations and crisis management expenses.
  • Notification services.
  • Call Center services.
  • Credit and Identity monitoring 

Retirement plan sponsors can obtain this comprehensive coverage online in minutes today. Mitigate threats to the retirement plan, and reduce your personal liabilities right here:

Cyber+Fiduciary Liability Insurance for Retirement Plan Sponsors

Colonial Surety Company

  • In business since 1930
  • Rated “A” Excellent by A.M. Best Company
  • US Treasury Listed

Helpful Resources

ERISA
Leave No Stone Unturned: Mistakes To Avoid

Everyone makes mistakes and that’s just part of being alive and ticking. Nonetheless, retirement plan sponsors…

Dec 12, 2025

ERISA
Ordinary Days Can Bring Real Scares

If you’re like most retirement plan sponsors, your intentions are truly the best: helping employees save…

Jan 26, 2026

ERISA
It’s Not Just A Plan: It’s People!

Given all the big words, complex regulations, legalities and operational details involved in sponsoring a retirement…

Jan 25, 2026

Read Our Blog