Skip to Content

Cybersecurity considerations for benefit plans

March 6, 2017 Article 2 min read
Michael Krucker Sarah Pavelek
The push is on for fiduciaries to ramp up their protection of benefit plan information systems. How tight is cybersecurity for your benefit plans?

woman with glasses looking at technology  

The Department of Labor (DOL) continually stresses the importance of a plan sponsor’s fiduciary duties. Fiduciaries act on behalf of benefit plan participants and beneficiaries and are thus entrusted with many responsibilities. They are also commonly entrusted with handling, transmitting and protecting sensitive data or information.

The ERISA Advisory Council on Employee Welfare and Pension Benefits (the Council) recently issued a report that highlights cybersecurity, an area that the Council believes plan sponsors may not be fully addressing as they carry out their fiduciary responsibilities. The report is entitled Cybersecurity Considerations for Benefit Plans and it recommends that the DOL raise awareness about cybersecurity risks and the key elements for developing a cybersecurity strategy specifically focused on benefit plans.

In most cases, benefit plans have a large number of people, both employees of plan sponsors and employees of unrelated service providers, with access to and handling sensitive employee benefit plan information. Accordingly, there is a potential for privacy breaches, identity theft or even theft of assets. As the time and costs to recover from a data breach can be substantial, the Council encourages businesses to develop a cybersecurity management strategy for their employee benefit plans.

The Council’s report, which can be accessed here, discusses many topics including:

  • The objective(s) of a cybersecurity strategy
  • Commentary on how to establish a strategy/framework
  • Discussion regarding the use of service providers
  • Insurance considerations
  • Useful terminology and links

To the extent your organization has not yet focused on the cybersecurity risk specific to benefit plans, we recommend starting with the following:

  • Review existing corporate cybersecurity policies/processes and how they can be leveraged
  • Take an “inventory” of your plan data to understand where/how it originates, who receives it, where it is stored, and who needs access
  • Evaluate your internal resource capabilities – the Council’s report acknowledges the value of seeking expert advice when navigating this area
  • Based on the size of your organization and your plans, consider cyber-insurance

As the Council’s report notes, designing a cybersecurity risk management strategy does not have to be overwhelming. The following visual can be used to summarize the key components of an effective cybersecurity program, which include people, process, and technology.

Infographic describing the key components to a successful cybersecurity program


The most significant takeaway for plan sponsors is that the Council is recommending that the DOL provide information to the benefit plan community of plan sponsors, fiduciaries and service providers to educate them on cybersecurity risks and to provide guidance on managing these risks.

If you are interested in Plante Moran's cybersecurity capabilities and potential cybersecurity impact on your benefit plans, click here to access Plante Moran’s 7-point Cybersecurity Assessment. If you have any questions on the report, or where to start with your cybersecurity strategy, please contact a member of Plante Moran’s Employee Benefit Consulting or Cybersecurity teams.

Related Thinking

Business professional working at a desk using a laptop computer.
November 2, 2022

2023 retirement plans limitations summary

Article 1 min read
Businessperson having a cup of coffee while viewing their monitor screen.
July 12, 2022

280G regulations: Could the sale of your business trigger “golden parachute” penalties?

Article 5 min read
Business professional smiling while looking at documents.
June 15, 2022

Key takeaways: 2022 AICPA & CIMA Employee Benefit Plans Conference

Article 1 min read