June 30, 2026
In the first article of this series, we discussed governance and fiduciary oversight as the foundation of a retirement plan cybersecurity program. In this installment, we focus on two additional best practice areas emphasized by the Department of Labor (DOL): managing access to plan information and assets, and overseeing third-party service providers that store or process participant data. While the topics relevant to these best practices areas are mostly spelled out by the DOL in its Cybersecurity Program Best Practices document, we add some additional recommendations and flavor based on Larson’s extensive experience with control-based audits in the cybersecurity and employee benefit plan space.
Retirement plans contain a significant amount of sensitive information, including participant demographic information, payroll data, account balances, and distribution activity. Protecting that information requires a combination of preventative and detective controls working together.
A good starting point for any cybersecurity program is ensuring that only the right people have access to information.
Organizations should first ensure that the systems they use are capable of restricting access by user or role. Once that capability exists, access should be granted based on an employee’s job responsibilities and the principle of least privilege.
In other words, employees should have access only to the information and functionality needed to perform their jobs.
Access should also be reviewed periodically. As a best practice, organizations should review user access at least quarterly to confirm permissions remain appropriate and that former employees, contractors, or other users no longer have access.
Most of the time, access management is accomplished through well-defined onboarding and termination procedures. Thorough onboarding and termination checklists, and well-documented help desk tickets make it easier to remember each step and keep a great audit trail.
Even appropriately assigned access can be compromised if authentication controls are weak.
The DOL recommends implementing strong authentication practices, including unique passwords and multi-factor authentication (MFA). Organizations should encourage employees to use long, unique passphrases and consider tools such as password managers or single sign-on solutions to simplify credential management.
MFA provides an additional layer of protection by requiring users to verify their identity through multiple methods before gaining access to a system. Particular attention should be given to systems that contain personally identifiable information (PII), participant account information, or other sensitive data. Where feasible, organizations should consider phishing-resistant MFA solutions for these higher-risk environments.
Access controls are designed to prevent unauthorized activity. Monitoring helps detect issues when preventative controls fail, which can often happen with human-based manual controls like removing access to certain systems when an employee changes roles or is terminated.
Organizations should maintain policies, procedures, and controls to identify unauthorized access, misuse of information, or potential tampering with sensitive data. Monitoring activities may include reviewing access logs, investigating unusual account activity, and leveraging software tools designed to identify suspicious behavior.
The objective is not to review every event manually. Rather, organizations should establish a process that provides reasonable assurance that unusual or unauthorized activity will be identified and investigated in a timely manner. For especially important types of activity, like distribution requests or loans, there will likely be automated system messages sent to responsible individuals which should be reviewed timely.
Retirement plans often involve ongoing exchanges of information between the plan sponsor and multiple service providers, including payroll processors, recordkeepers, and third-party administrators.
Because information is regularly moving between systems, plan sponsors should have procedures in place to verify that data maintained by service providers remains accurate and complete.
This begins with transaction-level reviews. Anytime data is transferred to the service provider, it is a good idea to recheck that input and output match. Two examples:
In addition to transaction-level reviews, plan sponsors may consider periodic spot checks. A sample of participant records can provide valuable insight into whether information is being transferred and maintained accurately across systems. For example, organizations may periodically compare compensation information, contribution amounts, loan activity, and participant demographic information between internal records and service provider records. They may consider doing this for a small cross-section of employees annually or a few each quarter. This could help uncover issues with a data transfer process.
Organizations should also maintain procedures to verify participant identities before processing distributions or other requests involving plan assets. These controls can help reduce the risk of fraud and unauthorized transactions.
Many retirement plan functions are performed by third-party providers. While these providers may maintain participant data and process transactions, responsibility for oversight remains with the plan sponsor.
Organizations should evaluate the risks associated with each service provider and identify controls to address those risks. Considerations may include the type of information the provider can access, the criticality of the services provided, and the potential impact of a cybersecurity incident.
One practical tool is a service provider inventory. This can be as simple as a spreadsheet that tracks:
This inventory can then be used to perform annual assessments of the service organization’s performance and adherence to its security commitments.
The DOL recommends establishing minimum cybersecurity expectations for third-party providers and periodically assessing whether those expectations continue to be met.
At a minimum, contracts should address:
These provisions help establish clear expectations and improve communication if an incident occurs.
One of the most effective and common ways to evaluate a service provider’s cybersecurity controls is through an independent System and Organization Controls (SOC) report.
SOC reports provide insight into a provider’s control environment and may include testing of controls related to security, access management, change management, and other key areas. Reviewing these reports can help plan sponsors gain additional comfort that service providers are operating effective controls.
To appropriately review a SOC report, the responsible individuals, usually a collaboration between HR and IT, should verify that expected assertions about the service provider’s control environment and security practices are present and tested by the third-party auditor. Any exceptions should be understood and potentially discussed with the service provider. This review should be documented and noted in the service provider inventory tracking.
Even strong cybersecurity programs must assume that incidents can occur.
Organizations should maintain documented incident response procedures that define responsibilities, communication protocols, and escalation requirements. Consideration should also be given to how the organization would respond if a significant incident occurred at a critical service provider.
Periodic tabletop exercises can help organizations identify gaps in their response process and improve readiness before an actual incident occurs. A tabletop exercise gathers key members of management and department heads to talk through what each person is responsible for during incident response. This can be a verbal exercise, but should be as detailed as possible to uncover any gaps in the response process.
Effective cybersecurity for retirement plans is not built around a single control. It requires a layered approach that combines strong access management, ongoing monitoring, data validation procedures, and oversight of third-party service providers.
By focusing on these areas, plan sponsors can strengthen the protection of participant information and demonstrate prudent oversight of plan assets in an increasingly complex cybersecurity environment.
What cybersecurity responsibilities do retirement plan sponsors have?
Retirement plan sponsors are responsible for protecting participant information and plan assets, even when plan administration functions are outsourced to third-party providers. This includes implementing access controls, monitoring for unauthorized activity, overseeing service providers, and maintaining an incident response plan.
How often should retirement plan user access be reviewed?
The Department of Labor recommends periodically reviewing user access to ensure employees retain only the permissions necessary to perform their jobs. Many organizations perform access reviews quarterly to identify excessive access, remove former employees, and verify that permissions remain appropriate.
How can plan sponsors evaluate the cybersecurity practices of their service providers?
Plan sponsors can evaluate service providers by conducting periodic risk assessments, reviewing cybersecurity practices, maintaining a vendor inventory, and requesting independent assurance reports such as SOC reports. Contracts should also address access controls, encryption standards, and cybersecurity incident notification requirements.
What participant information should plan sponsors periodically verify with their service providers?
Plan sponsors should periodically compare key participant information between internal records and service provider records, including compensation, employee and employer contributions, loan activity, account transactions, hire dates, and other demographic information. Periodic spot checks can help identify discrepancies before they create operational or compliance issues.
For additional guidance, please contact the Larson Cybersecurity Team.