What Is a Proper Cybersecurity Policy for a Retirement Plan?

As participant data and plan assets increasingly are the target of cybersecurity and ransomware attacks, it is important that plan fiduciaries have pre-established procedures in place to protect themselves in the instance that a breach occurs.

Developing a written cybersecurity policy with specific required procedures is necessary for plan sponsors to uphold their fiduciary duty and comply with Department of Labor standards, according to an insight brief published by law firm Cohen & Buckmann P.C.

“Although it isn’t specifically required by law, a written cybersecurity policy should be given the same importance as the plan’s investment policy statement, missing participant procedures … and loan procedures,” attorney Carol Buckmann wrote. “And given the frequency with which new kinds of threats and attacks occur, the cybersecurity policy will need to be reviewed and updated on a regular basis.”

The DOL updated its cybersecurity guidance last September for retirement plans and health and welfare plans covered by the Employee Retirement Income Security Act. The DOL also offers guidance for hiring service providers with strong cybersecurity practices.

While ERISA does not specifically mention cybersecurity, the fiduciary duties of prudence and to act in the best interest of participants include safeguarding sensitive personal and account information.

Cohen & Buckmann recommends considering several factors when developing a cyber policy.

For plan fiduciaries with access to personal data or participants’ investment accounts, Buckmann wrote that training is needed to make sure that the individuals with access to the information do not respond to phishing attempts or inadvertently install malware on their computers.

Training about cybersecurity is also important for employees at recordkeeping firms, as several recent lawsuits by participants whose accounts were accessed by hackers resulted from attacks made possible by human error.

Fidelity Investments was sued in October 2024, for example, after the personal information of 77,000 customers was exposed. The plaintiffs alleged that the recordkeeper failed to implement “adequate and reasonable measures” to ensure their computer systems were protected.

The case, Gluck et al v. Fidelity Investments, is currently pending in U.S. District Court for the District of Massachusetts.

Plan fiduciaries should also insist recordkeepers and other providers offer multi-factor authentication for accounts in their plans, according to Cohen & Buckmann, as it significantly lowers the risk of hacking by requiring users to utilize multiple channels of authentication. Cybercriminals may be able to guess passwords and user names, but it is more difficult for them to provide further substantiation, such as a one-time code sent to a participant’s cell phone.

In addition, it is important that any service providers with access to data or that have authority to direct investments should have regular third-party audits of their systems and perform regular penetration tests—as authorized simulated cyberattacks are known. When conducting requests for proposals for service providers, fiduciaries could ask whether providers are frequently receiving third-party audits of their systems.

Because many providers use subcontractors to perform certain services for the plan, it is also essential that subcontractors are subject to the same scrutiny. If a subcontractor experiences a breach, it can have a ripple effect and expose plan participants’ data to hackers.

Plan sponsors should also seek to understand what happens to plan data when a service contract is terminated. According to Cohen & Buckmann, service providers should not retain data longer than required by law. Data should either be destroyed or returned to the plan after a contract ends.

Another important aspect of a cyber policy is ensuring that the plan has adequate cybersecurity insurance coverage. Because claims can be raised under state law, standard ERISA fiduciary liability insurance may not fully cover fiduciaries and their service providers. ERISA bonding coverage also does not cover thefts of assets by criminal hackers. As a result, the law firm recommends that an expert review a plan’s current coverage to see whether additional insurance is needed as part of the plan sponsor’s cyber policy.

Overall, Cohen & Buckmann stated that fiduciaries do not need to be creating these policies alone, as few plan sponsors are able to so do without assistance. Corporate security personnel should also be involved in this process, regardless of whether they are involved in running the retirement plan or not.

“The bottom line is that fiduciaries may be personally liable for losses caused by their breaches of their fiduciary responsibility to mitigate cybersecurity risks,” Buckmann stated in the insight brief.