Business Solutions
Personal Solutions
Resources
About Us
Contact Us
Business Solutions

Forward-thinking risk solutions that protect your people, power your operations and position you 
for growth.

TrueNorth for Business
Services
Benefits & Financial Strategies
Property & Casualty
Risk & Workforce Solutions
Personal Solutions

Coverage that protects what matters most: your home, your health and the life you’ve worked hard to build.

TrueNorth For Individuals & Families
Services
Home & Auto
Health Insurance
Explore Resources

Information, insights, intelligence. It's all part of our commitment to partnership.

Articles & Insights
Articles
Case Studies
Events
News
Newsletters
Podcasts
Videos
Value Reports
About Us

Independent by design, our mission is our passion. Learn why people and businesses trust TrueNorth.

Our Story
Awards & Recognition
Case Studies
Community Impact
Business Solutions
Personal Solutions
Resources
About Us
Contact Us
Risk Management

Is cybersecurity part of your 401(k) fiduciary duty?

TrueNorth Companies • Apr 08, 2026

A client recently asked: “I just read that cybersecurity is now part of our fiduciary duty for our 401(k) plan. What does that mean for us?”

It’s a fair question. Many retirement plans were set up years ago, long before cybersecurity was a daily topic. Vendors were selected, the plan went live and the operational details faded into the background. If your plan has been running on autopilot, you’re not alone. But that needs to change.

What the DOL expects

The Department of Labor (DOL) has made its position clear: plan sponsors have a fiduciary duty to prudently select and monitor service providers, and that includes evaluating their cybersecurity practices. The DOL’s cybersecurity guidance establishes that fiduciaries must take steps to address cybersecurity risk — not just at the outset, but on an ongoing basis.

A recordkeeper or third-party administrator with solid security practices five years ago may have fallen behind. That’s why ongoing engagement matters.

You don't need to become a cybersecurity expert. However, it's important to ask reasonable questions, evaluate vendor responses and document your decisions.  

Why retirement plans are a target

Retirement plans hold large balances and follow predictable processes, which makes them attractive to bad actors. Account takeover fraud and illegal fund transfers happen more often than most plan sponsors realize. The features designed to make participant accounts easy to access can also make them easier to exploit.

When an incident occurs, plan sponsors could experience financial loss, prohibited transaction issues, corrective contributions and regulatory scrutiny. Even strong vendor contracts don’t prevent lawsuits or stop participants from seeking damages.

What good oversight looks like

The DOL’s Cybersecurity Program Best Practices outlines what service providers should have in place:

  • Formal security programs
  • Independent audits
  • Access controls
  • Encryption
  • Incident response plans

You don’t need to be fluent in all of the specifics, but you should be able to ask your vendors to demonstrate they are.

A straightforward starting point is to add cybersecurity as a standing agenda item in your annual service provider reviews. It creates a documented record of oversight and keeps the topic from getting lost in day-to-day operations.

We can help

TrueNorth’s Cyber Consulting Practice can help you develop an oversight framework, evaluate current vendor practices and document your fiduciary decisions. Reach out to get started.

Related posts

Person at pharmacy interacting with pharmacist

PBM reform: New rules, new opportunities for group health plan sponsors

Benefits
A family walking together along a path

Seven reasons you should think about life insurance

Financial Strategies