Skip to content
Data and checklists on a laptop screen, showing the importance of employee beneft plan cybersecurity.

Employee Benefit Plan Cybersecurity Requirements for Plan Sponsors

Jul 17, 2026

Cybersecurity affects every aspect of an organization’s operations. This includes employee benefit plans, which are attractive targets for cybercriminals due to the volume of assets and sensitive participant data they contain.

For plan sponsors, this is not just an IT concern. It’s a fiduciary responsibility with regulatory, financial, and reputational implications.

The U.S. Department of Labor (DOL) underscored this issue when it first published cybersecurity guidance for employee benefit plans in 2021 and later issued updated guidance in 2024. At the same time, enforcement activity, litigation, and audit* scrutiny have continued to evolve.

If your organization sponsors an employee benefit plan, it’s your responsibility to comply with the standards and regulations. Cybersecurity is a fiduciary issue for plan sponsors, and your auditors will review these areas if your plan is subject to an audit.

What the DOL Cybersecurity Guidance Specifies for Employee Benefit Plans

The DOL guidance applies to all employee benefit plans subject to the Employee Retirement Income Security Act (ERISA), including health and welfare plans. It outlines expectations for plan sponsors, fiduciaries, recordkeepers, and service providers and is structured around three components:

  • Cybersecurity program best practices
  • Tips for hiring a service provider
  • Online security tips

Although these are framed as best practices and tips, the guidance reflects the DOL’s interpretation of existing ERISA obligations and provides a framework for effective controls. As fiduciaries, plan sponsors are expected to prudently mitigate cybersecurity risks as part of their duty to act with care, skill, prudence, and diligence.

At a minimum, plan sponsors should ensure they are addressing the following key areas outlined in the guidance.

Governance and Documentation

  • A formal, well-documented cybersecurity program
    • Clearly defined and assigned roles and responsibilities for information security oversight
    • Appropriate response to cybersecurity incidents

Risk Management

  • Annual risk assessments and third-party audits of security controls
    • Documented incident response, business continuity, and disaster recovery plans
    • Security reviews and independent security assessments of controls protecting any assets or data stored in the cloud or managed by a third party
    • Ongoing cybersecurity awareness training

Technical Controls

  • Strong technical controls in accordance with security best practices
    • Effective access controls
    • A secure system development life cycle (SDLC) program
    • Encryption of sensitive data in transit and in storage

The DOL’s Cybersecurity Best Practices document provides additional detail on each of these areas. Together, these controls help organizations develop a structured, documented cybersecurity program.

What Auditors Look For

For organizations subject to an employee benefit plan audit, cybersecurity is increasingly part of the conversation. Auditors are focusing on evidence of control, not just intent.

Typical audit procedures include reviewing:

  • Documented cybersecurity policies and procedures.
  • Results of recent risk assessments.
  • Vendor due diligence and ongoing monitoring.
  • System and Organization Controls (SOC) 1 and SOC 2 reports from key service providers, along with evidence of review and evaluation of the reports.
  • Evidence of review and evaluation of complementary user entity controls in SOC 1 reports. Your organization should have these in place for the controls in the report to function as intended.
  • Incident response plans and testing documentation.

It’s important not to rely on your plan’s recordkeeper or assume controls are in place. Auditors expect clear documentation showing oversight and evaluation.  

Common Audit Findings

In practice, cybersecurity-related employee benefit plan audit findings often stem from gaps in documentation and oversight. In our experience, frequent issues include:

  • No documented vendor due diligence process
  • Obtaining SOC reports without documenting review, follow-up, or evaluation of complementary user entity controls
  • Outdated or untested incident response plans
  • Weak or inconsistent access control documentation and configurations
  • No formal cybersecurity risk assessment
  • Limited evidence of employee training or awareness

These types of gaps can indicate a lack of prudent oversight, which may not only impact audit results but also increase exposure to regulatory scrutiny or potential litigation risk over time.

Preparing for Your Next Employee Benefit Plan Audit

Begin by evaluating your existing cybersecurity processes and controls, identifying gaps, and prioritizing your remediation efforts.

Then, consider developing an audit-ready documentation package that includes:

  • Your cybersecurity policies and procedures
  • Risk assessment reports
  • Incident response plans and testing results
  • Vendor due diligence and monitoring documentation
  • SOC report reviews and conclusions

Cybersecurity is now a core fiduciary and governance priority for plan sponsors. Organizations that take a proactive, well-documented approach will be better positioned to meet ERISA obligations, satisfy audit requirements, and reduce their exposure to emerging cyber risks.

How CRI Can Help

In addition to employee benefit plan audit services, CRI provides independent cybersecurity risk assessments, vendor and service provider due diligence, and more. Contact your CRI advisor for experienced support tailored to your organization’s needs.

Relevant insights

Join Our Conversation

Subscribe to our e-communications to receive the latest accounting and advisory news and updates impacting you and your business.

This field is for validation purposes and should be left unchanged.

By proceeding, you are agreeing to the terms and conditions in the Carr, Riggs and Ingram Privacy Policy. This form submission acts as your acknowledgment to receive occasional email updates, news and promotions from Carr, Riggs & Ingram.