May 7, 2026
Managing fiduciary responsibilities as a 401(k)-plan sponsor can be a daunting task without the added stress of navigating the ever-changing and sometimes confusing world of cybersecurity. However, the reality is that these plans can hold millions of dollars’ worth of assets and often store additional sensitive information about participants that can be used to identify them and violate their privacy. Hackers understand this, and in the same way we might utilize new technologies like Artificial Intelligence to proofread an email or check our spelling, they will use them to try to find vulnerabilities within your systems that they can exploit.
Recognizing the present and growing threat to plan participants and their data, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) has elevated cybersecurity to be an enforcement priority for 2026. Under this priority, EBSA expects plan sponsors to take responsibility for their participants’ data, and implement safeguards to help prevent, detect, and monitor threats to their systems. Plan sponsors are also expected to ensure that any service providers used in the administration of plan-related IT systems are implementing safeguards of their own as well.
This article will help highlight the importance of a robust cybersecurity program, along with the role that an annual risk assessment plays in meeting your fiduciary responsibilities as plan sponsors.
A cybersecurity program is the combination of the policies, procedures, guidelines, practices, and culture within an organization to identify, assess, and address both internal and external risks to the confidentiality, integrity, or availability of data. An effective program will be able to identify risks, establish protections for assets, detect and address any security events, recover from incidents, disclose events as appropriate, and return to normal operations. The cybersecurity program should also undergo third-party auditing to provide independent attestation of its effectiveness and appropriate design.
The foundation of any cybersecurity program is the policies and procedures in place to develop strong and consistent workplace practices. These policies should be approved by senior management, reviewed at least annually, and be assessed against common security frameworks.
The EBSA expects formal, documented policies for several areas, including the following:
During an examination, the EBSA will request to see how these and similar policies are managed by plan sponsors for any plan-related systems, as well as how they are explained to and understood by those who use them.
It’s important to keep in mind that a cybersecurity program should be consistent enough to be well known and understood, but flexible enough to adjust to new threats and emerging risks.
A core part of the cybersecurity program is the completion of a regular risk assessment. Such assessments are used to identify, categorize, and prioritize threats to the system. An effective risk assessment will identify assets along with potential threats to them. Typically, a risk score is assigned based on the likelihood of the threat event occurring and the impact it would have on the organization. This score is then evaluated and mapped to existing controls already in place, and plans are put into action to mitigate any gaps by implementing safeguards or avoiding the risk altogether by changing the approach. Mitigation plans should be robust and of high priority for any risk scores determined to have a high likelihood and high impact.
Because we don’t have unlimited time and resources to cover every possible risk, there may be some cases where management decides to accept a level of risk where the potential likelihood and/or impact of a threat is low enough. Risk assessments are used to help management in making these decisions and deciding where to best allocate time and resources.
Much like the cybersecurity program as a whole, it’s important that risk assessments are adjusted frequently to account for new threats or changes in resource availability. Good practice is to perform an assessment annually and adjust mitigation plans accordingly. During examination, plan sponsors will need to be able to demonstrate to the EBSA that a regular risk assessment is performed and mitigation plans are developed accordingly.
While evaluating the risks, it’s possible to find instances where the best solution is to transfer the risk to an outsourced service provider. Typically, these providers will supply and help maintain the underlying IT systems that support the operation and administration of 401(k) plans. In cases where vendors are used, it is important that plan sponsors take on an investigative role to determine what safeguards they have in place and evaluate the appropriateness of their cybersecurity program. Plan sponsors are expected to ensure standards regarding confidentiality, availability, and integrity are set and maintained through language in contractual agreements, and through regular vendor review. Information systems audits performed by an independent third party can be a great resource for plan sponsors in reviewing the safeguards vendors employ as part of their cybersecurity programs.
Where should a plan sponsor start if they don’t have a cybersecurity program in place?
The best place to begin building a robust cybersecurity program is with strong policies and procedures. Senior leadership should be involved in the research and development of specific policies covering a wide range of security topics. Special attention should be given to policies surrounding participants’ sensitive data, who can access it, and how it will be stored. Next, these policies and procedures should be well understood by everyone using them and should regularly be reinforced through training and leadership example.
How do I know if my current security policies are sufficient?
One of the biggest challenges in cybersecurity, especially when establishing appropriate security policies, is trying to set up defenses without knowing for sure where the attack will come from or what it will look like. A great resource to use, and something EBSA will expect to see is that your security policies and practices are evaluated against frameworks that have been established by authoritative bodies. A popular example is the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF). Assurance and recommendations can also be gained from independent third-party assessments of your organization’s current practices.
What are some threats that plan sponsors need to be aware of?
We’ve probably all heard of the dangers of phishing emails, or scam phone calls, but social engineering remains one of the biggest threats to organizations and has only gotten more dangerous. With the help of AI, phishing emails are becoming harder to distinguish from legitimate requests, and attackers are even able to replicate the voices and likenesses of company executives to request confidential information. Hackers will use these and similar methods to gather usernames, passwords, and other forms of authentication to gain access to a company. From there, they can compromise sensitive user data, or even encrypt files, making them impossible to access without paying a ransom.