(Miha Creative/Adobe Stock)

The Employee Retirement Income Security Act (ERISA) was established in 1974 to protect employees’ retirement and benefit rights. The law established minimum protection requirements for retirement and health insurance plans established voluntarily by private industries nationwide.

Plans covered by ERISA often hold substantial monetary assets and maintain personal, medical, and financial data on participants. This makes them a prime target for cybercriminals. Furthermore, the 2025 Verizon Data Breach Investigations Report recently revealed that the frequency of data breaches involving third parties, such as health and benefits plan service providers, is increasing and doubled from 15% in 2024 to 30% in 2025. As a result, the importance of measuring risk in third-party relationships is becoming increasingly crucial to maintaining a well-operating information security risk management program.

The Employee Benefits Security Administration, a United States Department of Labor agency responsible for administering and enforcing laws related to ERISA benefits plans, has developed the following best practices for use by those responsible for plan-related information technology (IT) systems and data, as well as for plan fiduciaries contracting with service providers. These include the following:

  1. Have a formal, well documented cybersecurity program. A sound cybersecurity program will include information security policies, procedures, guidelines, and standards to protect the security of the IT infrastructure and data stored in the system.
  2. Conduct prudent annual risk assessments. A risk assessment is an effort to identify, estimate, and prioritize information system risks. IT threats are constantly changing, so it is important to design a manageable, effective risk assessment schedule.
  3. Have a reliable annual third-party audit of security controls. Having an independent auditor assess an organization’s security controls provides a clear, unbiased report of existing risks, vulnerabilities, and weaknesses.
  4. Clearly define and assign information security roles and responsibilities. For a cybersecurity program to be effective, it must be managed at the senior executive level and executed by qualified personnel.
  5. Maintain strong access control procedures. Access control is a method of guaranteeing that users are who they say they are and that they have the appropriate access to IT systems and data. It mainly consists of two components: authentication and authorization.
  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments. Organizations should require a risk assessment of third-party cloud service providers, define minimum cybersecurity practices, and periodically assess providers based on potential risks.
  7. Conduct periodic cybersecurity awareness training. A comprehensive cybersecurity awareness program sets clear cybersecurity expectations for all employees and educates everyone to recognize attack vectors, help prevent cyber-related incidents, and respond to potential threats.
  8. Implement and manage a secure system development life cycle (SDLC) program. A secure SDLC program ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the system development effort.
  9. Use an effective business resiliency program addressing business continuity, disaster recovery, and incident response. Business resilience is the ability an organization has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets, and data.
  10. Encrypt sensitive data, stored and in transit. A system should implement current, prudent standards for encryption keys, message authentication, and hashing to protect the confidentiality and integrity of the data at rest or in transit.
  11. Implement strong technical controls in accordance with best security practices. Technical security solutions are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.
  12. Appropriately respond to any past cybersecurity incidents. This includes informing law enforcement, notifying the appropriate insurer, investigating the incident, notifying participants of unauthorized acquisition of their personal data, giving affected plans and participants the information necessary to prevent/reduce injury, honoring any contractual or legal obligations with respect to the breach, and fixing the problems that caused the breach to prevent its recurrence.

One of the best ways to assess compliance with any information security standard, guideline, or law is to have an expert and independent analysis measure how currently implemented practices align with the required standards.

By proactively implementing these best practices, ERISA plan sponsors can significantly reduce their exposure to cyber threats and strengthen their fiduciary responsibilities to plan participants. In today’s evolving threat landscape, where third-party risks and data breaches are on the rise, maintaining a well-documented, regularly tested cybersecurity program is not just a regulatory expectation but a business imperative. Partnering with experienced professionals to assess vulnerabilities and enhance security controls can further ensure both compliance and the long-term protection of participant data and plan assets.

Brandon is a director with FoxPointe Solutions, a division of The Bonadio Group. Brandon joined Bonadio in April 2018.

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.