Retirement Plans: Add Cybersecurity to your Fiduciary Responsibilities

Consortium Hot Topics,

Retirement Plans: Add cybersecurity to your fiduciary responsibilities

 By Dave Mauger, New Pinnacle Consulting Group

Cybersecurity is a serious concern and the many breaches reported in the news indicate it is not going away.  A cybersecurity breach in your plan could result in plan losses and the plan fiduciaries may be liable for a breach of fiduciary duties. The lawsuits against Abbott Labs and Estee Lauder alleged that the plan sponsor and plan providers were in breach of their fiduciary duties of loyalty and prudence when unauthorized distributions were taken from the plan participants’ accounts.

Given the severity of the breaches, it is no surprise that the regulators have taken notice. In April 2021 the Department of Labor (DOL) released guidance for plan sponsors, fiduciaries and participants as well as service providers to address cybersecurity in retirement plans. While the guidance was released as a best practice rather than regulation for Employee Retirement Income Security Act (ERISA) plans, this is attention-worthy given ERISA which became law in 1974, does not include cybersecurity and both the IRS and DOL have not released formal guidance on cybersecurity responsibilities.

We suggest taking action now as we understand auditors have begun incorporating cybersecurity into their plan audits. The auditor documentation requests have included cybersecurity and information system program policies, procedures, and plan-related guidelines regardless if applied by the plan sponsor or a service provider. Documentation showing specific actions taken by the plan sponsor and vendors.

In order to mitigate cybersecurity risk to your retirement plan, consider taking the following steps:

  1. Include cybersecurity on your list of fiduciary responsibilities, educate the plan fiduciaries and add to annual plan review agenda
  2. Review the DOL guidance which comes in three forms:
  1. Review and document oversight on all service providers
  2. Monitor and maintain provider cybersecurity policies including any updates
  3. Help your plan participants guard against retirement plan theft by sharing the DOL’s Online Security Tips


The main takeaway is that ultimately, plan sponsors are responsible for the plan’s cybersecurity risk even if much of that responsibility is delegated to the plan’s service providers.


Dave Mauger is a Managing Partner at New Pinnacle Consulting Group which provides a full range of retirement plan services and specializes in 403(b) retirement plans.