Cybersecurity Best Practices for Plan Sponsors

Keeping your plan data safe

Cybersecurity is a critical but often overlooked aspect of a plan sponsor’s fiduciary responsibility. In simple terms, cybersecurity means protecting sensitive plan and participant data — and by extension, your participants’ financial well-being and retirement security — against attacks from hackers and cyber criminals.

The Department of Labor has outlined 12 cybersecurity best practices:

  1. Have a formal, well documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.
  5. Have strong access control procedures.
  6. Ensure that any assets or data stored in a cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
  7. Conduct periodic cybersecurity awareness training.
  8. Implement and manage a secure system development life cycle (SDLC) program.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  10. Encrypt sensitive data, stored and in transit.
  11. Implement strong technical controls in accordance with best security practices.
  12. Appropriately respond to any past cybersecurity incidents.

To help maintain your fiduciary responsibility, here are 11 key questions you should be asking your 401(k) service providers about cybersecurity:[1]

  1. What are your procedures for dealing with cybersecurity threats and protecting participants’ personal information?
  2. Do you conduct periodic risk assessments to identify vulnerabilities to cybersecurity threats and the impact of potential business disruptions?
  3. Do you conduct an annual, independent assessment of your cybersecurity systems and policies?
  4. Can you describe how plan and participant data is encrypted (census upload, enrollment, payroll uploads, transfers and other data exchange policies)?
  5. What are your procedures for notifying us of a system breach?
  6. Does your company carry cybersecurity insurance? If yes, can you provide an overview of the coverage (including all limitations)?
  7. Has your company experienced any security breaches? If yes, explain.
  8. How do you store, retain, and destroy sensitive data?
  9. Does your company outsource any services to a subcontractor? If yes, what controls are in place to protect our company’s sensitive data?
  10. Do you have a privacy and security policy, and does the policy apply to personally identifiable information of retirement plan clients?
  11. Does your business continuity and disaster recovery plan include the recovery of an employer’s data after a breach?

Cybersecurity concerns us all. Whether you are a small business owner or the CEO of a Fortune 100 company, ask your 401(k) service providers these questions and document their responses, because knowing what could cause a data breach is the first step in preventing one.


Toll Free: (866) 364-6262 | Fax: (703) 878-9051



9161 Liberia Avenue

Suite 100

Manassas, VA 20110

Office: (703) 878-9050



11921 Freedom Drive

Two Fountain Square

Suite 550

Reston, VA 20190

Office: (703) 904-4388


This information was developed as a general guide to educate plan sponsors and is not intended as authoritative guidance or tax/legal advice. Each plan has unique requirements, and you should consult your attorney or tax advisor for guidance on your specific situation.

©401(k) Marketing, LLC. All rights reserved. Proprietary and confidential. Do not copy or distribute outside original intent.

[1] “401k Service Providers and Cybersecurity: Questions to Ask.”