ERISA Cybersecurity: What Plan Fiduciaries Should Know

Staff Editor 2026-05-29
ERISA Cybersecurity: What Plan Fiduciaries Should Know

ERISA Cybersecurity: What Plan Fiduciaries Should Know

https://www.forvismazars.us/forsights/2026/05/erisa-cybersecurity-what-plan-fiduciaries-should-know

Publish Date: 2026-05-29 10:27:00

Source Domain: www.forvismazars.us

If your organization sponsors an employee benefit plan under the Employee Retirement Income Security Act of 1974 (ERISA), cybersecurity risk is now a core fiduciary consideration. A single compromised record-keeper login, a missed vendor review, or an outdated incident response plan could put participant data, plan assets, and your fiduciary standing at risk.

The U.S. Department of Labor (DOL) has clarified that ERISA-covered plans are expected, consistent with fiduciary duties of prudence and loyalty, to understand and oversee cybersecurity risks that could affect plan data and plan assets, regardless of plan size or whether services are outsourced.

Recent DOL enforcement developments underscore that these expectations are not merely aspirational. On January 15, 2026, the DOL’s Employee Benefits Security Administration (EBSA) announced that it overhauled its national enforcement projects for fiscal year 2026 and that investigations will prioritize cybersecurity, among other focus areas. This increased enforcement emphasis reiterates the importance of having a demonstrable, plan-specific process for assessing cyber risk and overseeing service providers that handle plan data and transactions.

Deconstructing the DOL’s Cybersecurity Guidance

The DOL’s cybersecurity guidance, originally issued in April 2021 and expanded to all ERISA-covered plans in September 2024 through Compliance Assistance Release No. 2024-01, applies broadly to retirement plans, health and welfare plans, plan sponsors and fiduciaries, and service providers that create, store, process, or transmit plan data.

The guidance is anchored by the DOL’s “Cybersecurity Program Best Practices,” which describe elements of reasonable cybersecurity governance and oversight for ERISA plans. These practices include:

  • Maintaining a formal, well-documented cybersecurity program
  • Conducting prudent annual risk assessments
  • Having a reliable annual third-party audit of security controls
  • Clearly defining and…

Source

More Stories

NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

NICC offers new computing and cybersecurity program for high school students | 97 Seven Country WGLR – The Tri-States Best Variety of Country

Staff Editor 2026-06-05
Ashley Devoto Named Air Force CIO

Ashley Devoto Named Air Force CIO

Staff Editor 2026-06-05
AI Governance Expectations on the Rise for Insurers Amid New Regulatory Activity: NYDFS Highlights Frontier Risks, Colorado Redefines its AI Law, and NAIC Prepares Regulators with New Tools | Hinshaw & Culbertson – Privacy, Cyber & AI Decoded

AI Governance Expectations on the Rise for Insurers Amid New Regulatory Activity: NYDFS Highlights Frontier Risks, Colorado Redefines its AI Law, and NAIC Prepares Regulators with New Tools | Hinshaw & Culbertson – Privacy, Cyber & AI Decoded

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy