Q&A: EBP Fiduciary Duty in the Digital Age
Does Your Fiduciary Duty Include Cybersecurity? Understanding DOL Best Practices and Data Security for Employee Benefit Plan Sponsors
Are plan sponsors fiduciaries for cybersecurity? Yes, the Department of Labor (DOL) has clarified that plan fiduciaries have a legal obligation under ERISA to ensure proper mitigation of cybersecurity risks to protect plan data, assets, and participant information. This responsibility extends beyond just managing the money; it includes the prudent selection and ongoing monitoring of third-party service providers who handle sensitive participant data. In today’s regulatory environment, a plan sponsor’s fiduciary duty is not satisfied unless they are actively vetting their vendors’ security protocols and implementing a formal, well-documented cybersecurity program that aligns with industry best practices.
Key Takeaways
How does the Department of Labor define a plan sponsor’s fiduciary duty regarding cybersecurity?
Under ERISA, plan fiduciaries have a legal obligation to implement a formal cybersecurity program and perform ongoing monitoring of third-party service providers to protect plan assets and participant data from cyber threats.
What steps should a plan sponsor take to vet a service provider’s cybersecurity?
Plan fiduciaries should evaluate a provider’s security track record by reviewing their SOC 2 audit reports, verifying their use of multi-factor authentication, and ensuring that service contracts include specific requirements for data encryption and breach notification.
Which specific cybersecurity practices does the Department of Labor recommend for employee benefit plans?
The Department of Labor’s best practices include maintaining a written security policy, conducting annual risk assessments, performing independent third-party audits of security controls, and providing yearly cybersecurity awareness training for all personnel.
Q: Why is Cybersecurity Now Considered a Fiduciary Duty?
A: For many years, cybersecurity was viewed as an IT concern rather than a board-level fiduciary issue. However, recent DOL guidance and enforcement actions have changed the landscape significantly. The DOL now views participant data—such as Social Security numbers, dates of birth, and bank account information—as a “plan asset” that fiduciaries must protect with the same level of care as the actual retirement funds. Because cybercriminals frequently target retirement and health plans to initiate fraudulent distributions, the DOL expects plan sponsors to treat data security as a core component of their annual retirement plan compliance and oversight.
Q: How Should Sponsors Vet Third-Party Service Providers?
A: Most plan sponsors rely heavily on external recordkeepers, TPAs, and payroll providers to administer their benefits. While these partners offer efficiency, they also represent a significant point of vulnerability. To fulfill your EBP fiduciary duty for cybersecurity, you must go beyond a “handshake agreement” and perform rigorous due diligence. This includes requesting and reviewing a service provider’s SOC 2 Type II reports, which offer an independent assessment of their security controls over time. You should also ask about their data encryption standards, both for data at rest and data in transit, and ensure your contracts include specific language regarding breach notification timelines and indemnification for cyber incidents.
“In the eyes of the Department of Labor, participant data is now a protected plan asset; failing to secure it is no different than failing to secure the plan’s actual cash reserves.”
Q: What are the DOL’s “Best Practices” for Plan Cybersecurity?
A: The Department of Labor’s Employee Benefits Security Administration (EBSA) has issued a clear roadmap for what a “prudent” security program looks like. They don’t expect plan sponsors to be computer scientists, but they do expect them to have a high-level understanding of the threats and a documented process for managing them.
According to the DOL, a robust program should include:
- A formal, written cybersecurity policy that is reviewed and updated at least annually.
- Conducted and documented annual risk assessments to identify potential vulnerabilities.
- The mandatory use of multi-factor authentication (MFA) for any platform accessing participant data.
- Regular cybersecurity awareness training for all employees who handle plan administration.
- A clear incident response plan that outlines the steps to take if a breach occurs.
Q: How Does This Impact the Audit Process?
A: When your CPA firm performs an employee benefit plan audit, they aren’t just looking at the numbers; they are evaluating the internal controls that protect those numbers. Increasingly, auditors are asking for proof of cybersecurity oversight as part of their risk assessment. If a plan sponsor cannot show that they have vetted their recordkeeper’s security or that they have an internal policy in place, it could be noted as a deficiency in internal controls. Documenting your vendor reviews and keeping a “cybersecurity file” ready for your auditors is now a vital part of safeguarding participant data and assets.
What is the Hook: Is Data as Important as Dollars?
A: In the digital age, a stolen identity can be just as devastating to a participant as a stolen retirement check. If a cybercriminal uses a participant’s data to drain an account, the legal and reputational fallout for the company can be massive. By treating cybersecurity as a top-tier fiduciary priority, you aren’t just checking a box for the DOL—you are protecting the hard-earned futures of your employees. Transitioning to a proactive cybersecurity risk management for benefit plans approach ensures that your plan remains a secure vehicle for your staff and a compliant entity in the eyes of federal regulators.
Q: Strengthening Your Cybersecurity Posture for 2026
A: The Department of Labor has made it clear that cybersecurity is no longer a peripheral IT concern but a core fiduciary duty for employee benefit plan sponsors. As of early 2026, the DOL has officially designated cybersecurity as a national enforcement priority, signaling that investigators will now routinely demand documentation of how fiduciaries vet their service providers and protect participant data. To stay compliant and protect your employees’ futures, you must transition from a passive oversight model to a proactive, documented security program that includes annual risk assessments and rigorous third-party vendor audits. Ultimately, safeguarding your participants’ digital identities is now just as critical as managing their investment returns; failing to treat data as a protected plan asset can lead to severe regulatory penalties and significant litigation risk in the modern digital age.
Disclaimer: This article provides general information and should not be considered professional financial or tax advice. Please consult with a qualified CPA or financial advisor for guidance specific to your individual business needs.
Questions?
Jackie leverages her experience in audit, review, and compilation services across multiple industries to serve clients, including those requiring specialized employee benefit plan audits. She applies her audit skills to a variety of engagements, encompassing many of the firm’s client engagements since joining the firm in 2019, ensuring compliance and financial accuracy across diverse sectors, including employee benefit plans.