Article
The Overlooked Responsibility in Protecting Plan Data
In today’s digital landscape, retirement and healthcare plan data represent a treasure trove for cybercriminals. With millions of participants’ sensitive personal and financial information stored in these systems, the stakes couldn’t be higher. Yet many plan fiduciaries continue to underestimate their role in cybersecurity governance, often mistakenly believing that outsourcing this function absolves them of responsibility.
The Department of Labor (DOL) has recognized this critical gap, issuing cybersecurity guidance in April 2021 that was later updated in November 2024 to explicitly confirm its application to all ERISA plans, including both retirement and health and welfare plans. Despite this clarity from regulators, misconceptions persist about fiduciaries’ ongoing obligations in this arena.
This article aims to debunk common myths surrounding cybersecurity oversight and provide practical guidance for fiduciaries to fulfill their obligations effectively.
The shift toward digital plan administration has created unprecedented conveniences but also significant cybersecurity challenges.
The Delegation Misconception: Cybersecurity Fiduciary Duty Can be Outsourced
Myth: “I’ve hired a cybersecurity firm, so I’m no longer responsible.”
Perhaps the most dangerous misconception is that hiring a third-party cybersecurity provider transfers all responsibility and liability away from the fiduciary. This belief fundamentally misunderstands the nature of fiduciary duty under ERISA. Related to the misconception is the belief that the corporate IT team shares accountability under ERISA when employee benefit plan assets or data are hacked. The plan’s managers are solely responsible under fiduciary laws.
Reality: While you can delegate certain cybersecurity functions, you cannot delegate away your fiduciary responsibility to oversee those functions. The DOL’s guidance makes clear that plan fiduciaries maintain an ongoing duty to monitor service providers, regardless of their expertise or reputation.
This principle aligns with ERISA’s core concept that fiduciaries must act prudently and solely in the interest of plan participants and beneficiaries. Delegating a task doesn’t eliminate the duty to ensure it’s being performed appropriately.
Myth: “Our service provider handles all cybersecurity matters.”
Many fiduciaries operate under the assumption that because a service provider manages the day-to-day technical aspects of cybersecurity, the fiduciary’s role is merely to sign contracts and pay invoices.
Reality: Fiduciaries must establish and maintain a prudent process for selecting, monitoring, and evaluating cybersecurity service providers. This includes:
-
- Conducting thorough due diligence before hiring
- Regularly reviewing performance against contractual obligations
- Ensuring the provider’s practices align with current industry standards
- Documenting all oversight activities in committee meeting minutes
As the DOL’s guidance emphasizes, cybersecurity is not a “set it and forget it” proposition but requires ongoing vigilance and engagement from fiduciaries.
Understanding SOC Reports: A Point-in-Time Snapshot, Not a Permanent Solution
Myth: “We reviewed the vendors’ SOC report when we hired them, so we’re covered.”
Many fiduciaries view Service Organization Control (SOC) reports as a one-time checkbox rather than an essential component of ongoing monitoring.
Reality: SOC reports provide valuable but limited insights into a service provider’s control environment at a specific point in time. These reports:
- Typically cover only a specific period—the service provider self-develops the factors used by the auditor to arrive at its conclusions. There is no industry-standard set of vendors’ practices used in SOC audits.
- May not address all relevant controls specific to your plan’s needs
- Can contain exceptions or qualifications that require fiduciary attention and follow-up
The DOL guidance explicitly recommends annual review of service providers’ SOC reports as part of a comprehensive cybersecurity monitoring program. However, this review should be substantive, not superficial—fiduciaries should:
- Understand the scope and limitations of each report
- Identify and address any exceptions or qualifications
- Document their analysis and any follow-up actions
- Request complementary user entity controls and ensure they are implemented
A rapidly growing number of employers use artificial intelligence to track and score their retirement and healthcare plan vendors in real time. Cyber-ProtectRC from Roland|Criss is a leading solution.
Myth: “The SOC report looks clean, so we have nothing to worry about.”
Some fiduciaries mistakenly believe that a SOC report without obvious red flags indicates a completely secure environment.
Reality: Even “clean” SOC reports represent only one component of comprehensive cybersecurity oversight. Be aware—SOC reports of primary vendors like recordkeepers don’t cover any of the their subcontractors. These subservice vendors continue to account for some of the most damaging and widespread cybersecurity breaches that impact retirement and healthcare plans (e.g., MOVEit).
Fiduciaries should complement SOC report reviews with:
-
- Regular security assessments and penetration testing results
- Incident response planning and testing documentation
- Proof of regular security patch implementation
- Documentation of access control procedures
Summary
The shift toward digital plan administration has created unprecedented conveniences but also significant cybersecurity challenges. As a fiduciary, your responsibility is not to become a cybersecurity expert but to establish and maintain prudent processes for overseeing this critical function.
By understanding the common misconceptions about delegating cybersecurity responsibilities and implementing the best practices outlined in this article, you can fulfill your fiduciary duties while effectively protecting plan assets and participant information.
QUESTIONS?
