If your organization sponsors an employee benefit plan under the Employee Retirement Income Security Act of 1974 (ERISA), cybersecurity risk is now a core fiduciary consideration. A single compromised record-keeper login, a missed vendor review, or an outdated incident response plan could put participant data, plan assets, and your fiduciary standing at risk.
The U.S. Department of Labor (DOL) has clarified that ERISA-covered plans are expected, consistent with fiduciary duties of prudence and loyalty, to understand and oversee cybersecurity risks that could affect plan data and plan assets, regardless of plan size or whether services are outsourced.
Recent DOL enforcement developments underscore that these expectations are not merely aspirational. On January 15, 2026, the DOL’s Employee Benefits Security Administration (EBSA) announced that it overhauled its national enforcement projects for fiscal year 2026 and that investigations will prioritize cybersecurity, among other focus areas. This increased enforcement emphasis reiterates the importance of having a demonstrable, plan-specific process for assessing cyber risk and overseeing service providers that handle plan data and transactions.
Deconstructing the DOL’s Cybersecurity Guidance
The DOL’s cybersecurity guidance, originally issued in April 2021 and expanded to all ERISA-covered plans in September 2024 through Compliance Assistance Release No. 2024-01, applies broadly to retirement plans, health and welfare plans, plan sponsors and fiduciaries, and service providers that create, store, process, or transmit plan data.
The guidance is anchored by the DOL’s “Cybersecurity Program Best Practices,” which describe elements of reasonable cybersecurity governance and oversight for ERISA plans. These practices include:
- Maintaining a formal, well-documented cybersecurity program
- Conducting prudent annual risk assessments
- Having a reliable annual third-party audit of security controls
- Clearly defining and assigning information security roles and responsibilities
- Implementing strong access control procedures
- Confirming that assets or data stored in the cloud or managed by third parties are subject to appropriate security reviews
- Conducting periodic cybersecurity awareness training
- Implementing a secure system development life cycle
- Maintaining an effective business resiliency program addressing business continuity, disaster recovery, and incident response
- Encrypting sensitive data at rest and in transit
- Implementing technical controls aligned with recognized security practices
- Appropriately responding to and learning from cybersecurity incidents
The DOL expects fiduciaries to apply these practices based on the benefit plan’s specific risk profile and operating environment, not simply rely on enterprisewide IT programs or vendor assurances without appropriate oversight.
The Fiduciary Expectation: Plan-Specific Cyber Risk Assessment
A foundational theme of the DOL’s cybersecurity guidance is that fiduciaries should periodically evaluate cybersecurity risks relevant to the plan.
For benefit plans, this typically includes:
- Performing a cyber risk assessment specific to the plan environment
- Evaluating how the DOL’s cybersecurity best practices apply given the plan’s risk, size, and complexity
- Considering data sensitivity, asset movement, and reliance on third-party service providers
- Documenting results, judgments, and follow-up actions as part of ongoing fiduciary governance
A plan-specific cyber risk assessment can help fiduciaries identify where additional action or assurance may be needed. Conducted consistently and aligned with fiduciary review cycles, it also can serve as a foundation for demonstrating prudent ERISA cybersecurity oversight.
Why Shared Responsibility Matters
Benefit plan operations rely heavily on third parties, including record-keepers, third-party administrators, payroll providers, cloud service providers, and custodians or trustees. While these parties may operate key systems and controls, fiduciary responsibility for oversight remains with the plan sponsor and named fiduciaries.
Effective oversight requires clarity around:
- Which cybersecurity controls are owned and operated by the plan sponsor
- Which controls are operated by service providers
- How fiduciaries obtain assurance over third-party controls
- Where oversight gaps or dependencies may exist
A shared responsibility matrix can help document these roles and provide transparency for stakeholders. Without this clarity, fiduciaries may face challenges demonstrating prudent oversight, even where cybersecurity controls are in place.
How Forvis Mazars Can Help
ERISA cybersecurity oversight is a fiduciary expectation now under active DOL enforcement. Plan sponsors and fiduciaries may already know cybersecurity applies to their plans. The harder challenge is demonstrating how their plan identifies, evaluates, and responds to cyber risk.
Forvis Mazars works with plan sponsors and fiduciaries to conduct plan-specific cyber risk assessments aligned with DOL cybersecurity guidance, build shared responsibility frameworks across service providers, and document fiduciary decision making in a way that can withstand regulatory scrutiny.
Ready to review your plan’s cybersecurity posture? Connect with IT Risk & Compliance professionals at Forvis Mazars to start the conversation.