According to Escalent’s 2025 Retirement Planscape study, more than half of employers rank cybersecurity as their No. 1 “plan fear,” ahead of poor investment performance (45%) and insufficient participant savings (43%).
That concern is not without evidence. High-profile breaches, such as the recent attack on a leading recordkeeper affecting more than 1,000 employees and traced to a third-party client management cloud application, demonstrate how a single weak point can compromise employee data and disrupt operations.
In the past year alone, 7% of all plan sponsors (and one in 10 mega plans) reported a 401(k)-related data breach.
The Department of Labor’s website provides the Employee Benefits Security Administration’s (EBSA’s) best practices for retirement plan cybersecurity programs. EBSA states that the guidance is “for use by recordkeepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire.” The recommendations cover 12 areas of retirement plan cybersecurity.
1. Have a formal, well-documented cybersecurity program.
2. Conduct prudent annual risk assessments.
3. Have a reliable annual third-party audit of security controls.
4. Clearly define and assign information security roles and responsibilities.
5. Have strong access control procedures.
6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
7. Conduct periodic cybersecurity awareness training.
8. Implement and manage a secure system development life cycle (SDLC) program.
9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
10. Encrypt sensitive data, stored and in transit.
11. Implement strong technical controls in accordance with best security practices.
12. Appropriately respond to any past cybersecurity incidents.
Employees can also play a role by remaining vigilant for irregularities and reporting them through appropriate channels. Cyberattacks are growing more sophisticated, with AI and other advancements enabling criminals to mimic legitimate users and exploit weak points in vendor networks. Cybersecurity is and will remain an employer concern for the foreseeable future.
