Cybersecurity Compliance for Employee Benefit Plans: Why Fiduciary Duty Extends to Digital Risk
In today’s digital-first environment, employee benefit plans are not just financial or health plans—they are data-rich ecosystems. From participants’ Social Security numbers to their sensitive health information, these plans hold a treasure trove of personal data for bad actors. For plan sponsors and fiduciaries, safeguarding this information is no longer optional; it’s a core component of fiduciary responsibility under ERISA. At SingerLewak LLP, we help employee benefit plans understand their cybersecurity responsibilities, in addition to complying with these requirements.
The Expanding Scope of Fiduciary Duty: Cybersecurity
The U.S. Department of Labor (DOL) has made it clear: fiduciaries must act prudently and solely in the interest of plan participants and beneficiaries. This principle applies not only to investment decisions but also to operational practices, including cybersecurity. In fact, the Employee Benefits Security Administration (EBSA) reinforced this point by highlighting enforcement actions against entities that failed to meet fiduciary obligations.
“According to the U.S. Department of Labor’s EBSA guidance (Sept. 6, 2024), fiduciaries must act prudently and solely in the interest of plan participants. Failure to do so can result in enforcement actions and significant financial recovery efforts by the DOL.” The DOL confirmed that its cybersecurity guidance applies to all ERISA plans.
(Source: U.S. Department of Labor, EBSA News Release, https://www.dol.gov/newsroom/releases/ebsa/ebsa20240906-0)
This guidance underscores a critical concept: cybersecurity lapses can trigger fiduciary liability. If participant data is compromised due to inadequate internal controls or practices, fiduciaries may face regulatory scrutiny and potentially financial penalties.
Why Cybersecurity Matters for Benefit Plans
Employee benefit plans are prime targets for cybercriminals due to their rich ecosystem of participant data. Threat actors exploit typical vulnerabilities, such as weak authentication, outdated systems, and insufficient vendor oversight to gain access to sensitive data. A breach can lead to identity theft, fraudulent benefit claims, and reputational damage—not to mention costly remediation. As a general rule, it is more cost effective to be proactive, as opposed to reactive, as it pertains to prudent cybersecurity practices.
For fiduciaries, the question is no longer “Should we invest in cybersecurity?” but “How do we integrate cybersecurity into our fiduciary framework?”
Practical Steps to Align with DOL Cybersecurity Expectations
To meet compliance obligations and protect plan participants, companies should adopt a proactive cybersecurity strategy. Here are six actionable steps to consider:
- Conduct a Cybersecurity Risk and Maturity Assessment
Identify vulnerabilities and ineffective controls in systems, processes, and third-party relationships. Document findings and remediation plan to demonstrate fiduciary responsibility. - Implement Strong Cybersecurity Controls
Enforce strong cybersecurity controls (e.g., multi-factor authentication, incident response and recovery, etc.) for all plan-related systems that interact with participant data. Limit access based on job responsibilities and regularly review permissions. - Vet and Manage Third-Party Service Providers
The DOL emphasizes oversight of vendors handling participant plan data. To manage vendors, require providers to adhere to industry cybersecurity standards and obtain contractual assurances. - Engage a Competent Cybersecurity Partner
It is critical for fiduciaries to work with strong cybersecurity service providers to help put into place any required cybersecurity internal controls practices. The DOL provides a guide to help fiduciaries find a suitable cybersecurity vendor. SingerLewak LLP can serve as a trusted cybersecurity partner.
Source : https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/retirement-benefits/cybersecurity/tips-for-hiring-a-service-provider-with-strong-security-practices.pdf
- Develop an Incident Response Plan
Prepare for the inevitable: a well-defined incident response and recovery plan minimizes damage and demonstrates fiduciary diligence in the event of a breach. - Educate Stakeholders
Train employees, workers, and fiduciaries on cybersecurity best practices. Human error remains a leading cause of breaches. Turn your employees and workers into cybersecurity assets.
The Business Case for Compliance
Beyond regulatory risk, robust cybersecurity improves trust. Participants expect their personal information to be protected. Demonstrating compliance with DOL guidance not only mitigates liability but also strengthens your organization’s reputation as a responsible steward of employee benefits.
Cybersecurity is no longer a technical issue for employee benefit plans—it’s a fiduciary requirement. As the DOL’s enforcement guidance show, failure to act can have serious consequences. By embedding cybersecurity into your compliance strategy, you fulfill your legal obligations and safeguard the financial and personal well-being of your workforce.
If you would like to better understand your cybersecurity requirements and posture, or if you would like help to become compliant, please contact us at SingerLewak LLP – we would be happy to help.
Safeguarding participant information is both a legal obligation and a practical necessity for every employee benefit plan. As cyber threats continue to evolve, maintaining strong controls, monitoring vendors, and training stakeholders are essential steps in protecting your plan and the individuals who rely on it. Prioritizing cybersecurity strengthens compliance, reduces exposure to regulatory risk, and reinforces your role as a responsible fiduciary acting in the best interest of plan participants.
