When I started in this business, plan sponsors worried about lost checks. Now, they should be worried about lost data. Back then, if a participant’s address was wrong, you mailed a letter and hoped for the best. Today, if a hacker gets your payroll feed, you’re not mailing letters—you’re calling your cyber insurer and your lawyer.
ERISA’s Section 404 talks about acting prudently and solely in the interest of participants. That used to mean watching fees, monitoring investments, and keeping minutes. But in 2025, prudence means locking down your participant data like it’s Fort Knox. Every Social Security number, every date of birth, every account balance—those are plan assets in digital form.
The Department of Labor isn’t subtle about it anymore. Cybersecurity is a fiduciary issue. If your TPA or recordkeeper treats data protection like an afterthought, that’s your problem too. Because if participant data gets breached, no one’s pointing fingers at the IT guy—they’re pointing them at you, the plan sponsor.
So, ask questions. Demand documentation of your providers’ security protocols. Review your internal controls. Don’t let an intern email participant data unencrypted. You wouldn’t leave plan assets in a shoebox under your desk, so don’t leave sensitive data floating around in Outlook.
Fiduciary prudence used to mean “protecting the money.” Now it also means protecting the information about the money. Data is the new 404—and unlike plan assets, once it’s leaked, you can’t roll it back into the trust.
