Skip to content

What Are the Cybersecurity Obligations of Plan Sponsors?

Mar 13, 2026
Share

The Department of Labor obligates retirement plan sponsors to mitigate cybersecurity threats to plan assets and data, and provides specific guidance for doing so. Still, many retirement plan sponsors find it overwhelming to develop action steps, which is understandable in the face of ever-expanding cyber threats. Read on for stepping stones forward—-and a guardrail too.  

Cybersecurity Actions: Crawl, Walk, Run

A wise first step for retirement plan sponsors is recognizing their obligations. As professionals at Teachers Insurance and Annuity Association of America (TIAA) remind us: “The MOVE it breach was a wake-up call for many organizations with retirement plans. Employers typically outsource plan administration, but under ERISA, they still have a fiduciary duty to manage their plans for the benefit of employees and participants. And based on the latest guidance from the U.S. Department of Labor (DOL), that includes getting serious about safeguarding their plans against cybersecurity risks.”

Specifically, the Department of Labor (DOL) requires retirement plan sponsors to mitigate cybersecurity threats to plan assets and data, and provides these related best practices. Additionally, plan sponsors must ensure that all service providers use strong security protocols. The DOL also provides these online security tips for distribution to retirement plan participants. Despite this federal cybersecurity guidance in three parts, the enormity of the challenge and responsibility makes it tough for most plan sponsors to get going on their obligations to mitigate cyber threats. For starters, Ron Barthel, an information security expert at TIAA suggests that retirement plan sponsors take a “crawl, walk, run” approach toward fulfilling their cybersecurity responsibilities:

  • At the minimum level, talk to service providers and do basic due diligence at least once a year, “because the landscape is always changing.” 
  • The next level requires plan sponsors to dive deeply into the DOL recommendations with all plan vendors and make sure they’re fully covering all the bases….
  • “Committees typically include human resources personnel, perhaps economics experts, and an investment officer…but there’s no one there from tech or security. ‘Walking fast’ would have tech be part of the conversation.”
  • In the optimal state, Barthel sees “running” employers as those whose chief information security officer (CISO) meets with plan service providers on a recurring basis. The CISO will know the probing questions to ask and be able to assess whether providers, contracts, and financial guarantees in the event of a breach are meeting minimum standards. They’ll also have the experience to identify what the plan could be doing better on the security front.

Plan Sponsors Must Monitor The Cybersecurity Practices of TPAs

Observing that retirement plan data is exposed to extra layers of risk as it “gets passed between many players—including recordkeepers, third-party administrators (TPAs), and custodians, TIAA points out that “there are lots of opportunities for a fumble,” and underscores: “The buck stops with the employer, who’s responsible for hiring vendors and assessing their cybersecurity practices on a recurring basis.” Accordingly, four key cybersecurity actions for plan sponsors include:

  • Vet cybersecurity vendors before you hire. Ask service providers about their risk assessments, audit results, penetration testing outcomes, and breach history. Verify their data-handling protocols are up to snuff.
  • Review cybersecurity contracts. Make sure each vendor’s timeline for issuing breach notifications is spelled out and that they carry adequate cyber insurance. Require remediation plans and third-party audits.
  • Monitor cyber efforts regularly. Meet with vendors at least once a year for detailed cybersecurity updates and discussions. Include your technology team at the table.
  • Patch your own cyber gaps. Ensure strong system access controls are in place. Train your team and participants regularly on cybersecurity awareness and what to do when they spot threats. Make a breach action plan. And be sure to write down and formally document your cybersecurity program.

An additional and critical point for retirement plan sponsors to understand when it comes to cybersecurity is that even a minor incident can spiral into a bigger problem. As fiduciaries, plan sponsors can be held personally liable for a breach, such as failure to adequately mitigate cyber threats to the plan. Attorneys at Buchanan Ingersoll & Rooney remind us: “Fiduciaries hold significant control over the safety and integrity of a plan’s assets; compliance with ERISA fiduciary duties requires shielding plan assets from cyber threats….If plan fiduciaries fail to comply with strict ERISA duties regarding a plan’s assets, they can be found personally liable for breaches of their fiduciary obligations.”

Affordable Protection for Retirement Plan Sponsors

Fiduciary liability insurance is the only coverage that safeguards retirement plan sponsors personally, providing defense in the face of costly and disruptive ERISA allegations. Colonial Surety Company makes fiduciary liability insurance affordable for plan sponsors with businesses of every size, and for added value and protection, includes cyber liability insurance at no extra cost. For a few dollars a day, plan sponsors can obtain protection for the company, the plan, and themselves, with this Cyber Liability + Fiduciary Liability Insurance package.

In addition to providing defense costs and penalty limits up to $1,000,000, if faced with claims of alleged or actual breaches of duty in connection with the employee retirement plan, Cyber Liability + Fiduciary Liability Insurance from Colonial Surety Company addresses numerous DOL recommendations by explicitly covering the plan and the business, and including: 

  • Expert-led response services following a data breach.
  • Protection from lawsuits and regulatory actions related to the breach
  • Legal services.
  • Computer forensic services.
  • Public relations and crisis management expenses.
  • Notification services.
  • Call Center services.
  • Credit and Identity monitoring 

Retirement plan sponsors can obtain this comprehensive coverage online in minutes today or even speak to one of Colonial Surety Company’s knowledgeable ERISA experts for further support. Mitigate threats to the retirement plan, and reduce your personal liabilities before another day goes by:

Cyber+Fiduciary Liability Insurance for Retirement Plan Sponsors

Colonial Surety Company

  • In business since 1930
  • Rated “A” Excellent by A.M. Best Company
  • US Treasury Listed

Helpful Resources

Cyber for Plan Sponsors
Cybersecurity: Very Much A Fiduciary Responsibility

When you sponsor a retirement plan, it can be very tempting to trust that everybody else…

Feb 19, 2026

Cyber for Plan Sponsors
Ordinary Days Can Bring Real Scares

If you’re like most retirement plan sponsors, your intentions are truly the best: helping employees save…

Jan 26, 2026

Cyber for Plan Sponsors
Inform and Respond: Communicating With Plan Participants

Sponsoring a retirement plan requires timely information sharing, as well as diligence in responding to inquiries…

Feb 19, 2026

Read Our Blog