{"id":222414,"date":"2026-05-29T10:23:00","date_gmt":"2026-05-29T14:23:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/29\/erisa-cybersecurity-what-plan-fiduciaries-should-know\/"},"modified":"2026-05-29T10:25:28","modified_gmt":"2026-05-29T14:25:28","slug":"erisa-cybersecurity-what-plan-fiduciaries-should-know","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/29\/erisa-cybersecurity-what-plan-fiduciaries-should-know\/","title":{"rendered":"ERISA Cybersecurity: What Plan Fiduciaries Should Know"},"content":{"rendered":"<p><a href=\"https:\/\/www.forvismazars.us\/forsights\/2026\/05\/erisa-cybersecurity-what-plan-fiduciaries-should-know\">ERISA Cybersecurity: What Plan Fiduciaries Should Know<\/a><\/p>\n<p><a href=\"https:\/\/www.forvismazars.us\/forsights\/2026\/05\/erisa-cybersecurity-what-plan-fiduciaries-should-know\">https:\/\/www.forvismazars.us\/forsights\/2026\/05\/erisa-cybersecurity-what-plan-fiduciaries-should-know<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-29 10:23:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.forvismazars.us\">www.forvismazars.us<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\nIf your organization sponsors an employee benefit plan under the Employee Retirement Income Security Act of 1974 (ERISA), cybersecurity risk is now a core fiduciary consideration. A single compromised record-keeper login, a missed vendor review, or an outdated incident response plan could put participant data, plan assets, and your fiduciary standing at risk.The U.S. Department of Labor (DOL) has clarified that ERISA-covered plans are expected, consistent with fiduciary duties of prudence and loyalty, to understand and oversee cybersecurity risks that could affect plan data and plan assets, regardless of plan size or whether services are outsourced.Recent DOL enforcement developments underscore that these expectations are not merely aspirational. On January 15, 2026, the DOL\u2019s Employee Benefits Security Administration (EBSA) announced that it overhauled its national enforcement projects for fiscal year 2026 and that investigations will prioritize cybersecurity, among other focus areas. This increased enforcement emphasis reiterates the importance of having a demonstrable, plan-specific process for assessing cyber risk and overseeing service providers that handle plan data and transactions.Deconstructing the DOL\u2019s Cybersecurity GuidanceThe DOL\u2019s cybersecurity guidance, originally issued in April 2021 and expanded to all ERISA-covered plans in September 2024 through Compliance Assistance Release No. 2024-01, applies broadly to retirement plans, health and welfare plans, plan sponsors and fiduciaries, and service providers that create, store, process, or transmit plan data.The guidance is anchored by the DOL\u2019s \u201cCybersecurity Program Best Practices,\u201d which describe elements of reasonable cybersecurity governance and oversight for ERISA plans. These practices include:Maintaining a formal, well-documented cybersecurity programConducting prudent annual risk assessmentsHaving a reliable annual third-party audit of security controlsClearly defining and assigning information security roles and responsibilitiesImplementing strong access control proceduresConfirming that assets or data stored in the cloud or managed by third parties are subject to appropriate security reviewsConducting periodic cybersecurity awareness trainingImplementing a secure system development life cycleMaintaining an effective business resiliency program addressing business continuity, disaster recovery, and incident responseEncrypting sensitive data at rest and in transitImplementing technical controls aligned with recognized security practicesAppropriately responding to and learning from cybersecurity incidentsThe DOL expects fiduciaries to apply these practices based on the benefit plan\u2019s specific risk profile and operating environment, not simply rely on enterprisewide IT programs or vendor assurances without appropriate oversight.The Fiduciary Expectation: Plan-Specific Cyber Risk AssessmentA foundational theme of the DOL\u2019s cybersecurity guidance is that fiduciaries should periodically evaluate cybersecurity risks relevant to the plan.For benefit plans, this typically includes:Performing a cyber risk assessment specific to the plan environmentEvaluating how the DOL\u2019s cybersecurity best practices apply given the plan\u2019s risk, size, and complexityConsidering data sensitivity, asset movement, and reliance on third-party service providersDocumenting results, judgments, and follow-up actions as part of ongoing fiduciary governanceA plan-specific cyber risk assessment can help fiduciaries identify where additional action or assurance may be needed. Conducted consistently and aligned with fiduciary review cycles, it also can serve as a foundation for demonstrating prudent ERISA cybersecurity oversight.Why Shared Responsibility MattersBenefit plan operations rely heavily on third parties, including record-keepers, third-party administrators, payroll providers, cloud service providers, and custodians or trustees. While these parties may operate key systems and controls, fiduciary responsibility for oversight remains with the plan sponsor and named fiduciaries.Effective oversight requires clarity around:Which cybersecurity controls are owned and operated by the plan sponsorWhich controls are operated by service providersHow fiduciaries obtain assurance over third-party controlsWhere oversight gaps or dependencies may existA shared responsibility matrix can help document these roles and provide transparency for stakeholders. Without this clarity, fiduciaries may face challenges demonstrating prudent oversight, even where cybersecurity controls are in place.How Forvis Mazars Can HelpERISA cybersecurity oversight is a fiduciary expectation now under active DOL enforcement. Plan sponsors and fiduciaries may already know cybersecurity applies to their plans. The harder challenge is demonstrating how their plan identifies, evaluates, and responds to cyber risk.Forvis Mazars works with plan sponsors and fiduciaries to conduct plan-specific cyber risk assessments aligned with DOL cybersecurity guidance, build shared responsibility frameworks across service providers, and document fiduciary decision making in a way that can withstand regulatory scrutiny.Ready to review your plan\u2019s cybersecurity posture? Connect with IT Risk &#038; Compliance professionals at Forvis Mazars to start the conversation.Learn more:<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ERISA Cybersecurity: What Plan Fiduciaries Should Know https:\/\/www.forvismazars.us\/forsights\/2026\/05\/erisa-cybersecurity-what-plan-fiduciaries-should-know Publish Date: 2026-05-29 10:23:00 Source Domain: www.forvismazars.us&#8230;<\/p>\n","protected":false},"author":1,"featured_media":222415,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.forvismazars.us\/getmedia\/073374ba-9868-43c4-8776-ab81267fce7d\/680315905-landscape-large.jpg?width=1920&height=1080&ext=.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-222414","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222414"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=222414"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222414\/revisions"}],"predecessor-version":[{"id":222416,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222414\/revisions\/222416"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/222415"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=222414"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=222414"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=222414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}