Safeguard retirement plans from cyberattacks

Time to read: 6 minutes

Key takeaways

• Americans lost a record $16.6 billion due to cyberattacks in 2024. Criminals are increasingly targeting retirement plans for their vast personal and financial data.
• Regulators say employers are accountable for retirement plan cybersecurity, but it’s far from a solo effort. Vendors play a critical role helping employers put the right protections in place.
• Why this matters: Because retirement savings is often employees’ primary source of wealth, employers have not only a fiduciary responsibility but a moral one to protect the plan—and everyone needs to do their part.

IN MID-2023, a major data breach rocked the retirement plan industry. Hackers targeted a widely used file transfer application called MOVEit, exploiting a software vulnerability to access participant data. Names, Social Security numbers, and account information from multiple recordkeepers fell into hackers’ hands, who held it for ransom, threatening to release the data broadly if they weren’t paid off.

Considered a “hydra-headed” breach, the effects rippled across digital supply chains, hitting several key vendors. The effects were immediate and far-reaching: The personal information of more than 80 million people at over 2,500 organizations was compromised, and access to retirement plans went down in multiple states.¹ Harder to measure is the loss of trust by hardworking employees and damage to the reputations of employers and the companies entrusted to help manage their plans.

The MOVEit breach was a wake-up call for many organizations with retirement plans. Employers typically outsource plan administration, but under ERISA, they still have a fiduciary duty to manage their plans for the benefit of employees and participants. And based on the latest guidance from the U.S. Department of Labor (DOL), that includes getting serious about safeguarding their plans against cybersecurity risks.

The cyberthreat landscape

While MOVEit was stunning in its scope, it was hardly an isolated incident. In its 2025 Data Breach Investigations Report, Verizon Business reported more than 1,500 confirmed breaches involving data disclosures in the health care industry, 900 in the financial and insurance industries, and about 850 in education.² The FBI cited a record $16.6 billion in losses nationwide reported to them in their 2024 Internet Crime Report.³

“Personal data is extremely attractive to hackers,” says Ron Barthel, an information security expert at TIAA. “It can be sold, used to steal identities, or held to extort ransom from employers.” Another target is the money itself; criminals will attempt to defraud participants directly by duping them into transferring their funds into accounts controlled by the bad actors. Finally, disrupting system availability can be a hacker’s primary goal—because a downed system can be used to extort ransom from an employer—not just the byproduct of a data hack. Barthel says systems can be compromised on a limited or industry-wide scale: “When criminals attack a supplier all recordkeepers rely on, suddenly you’ve got millions of participants who can’t log in to their retirement accounts.”

Any of these attacks puts participants at risk for identity theft, and they can lose years of savings if they’re defrauded. As plan fiduciaries, employers may face lawsuits for breaches if they don’t have an adequate cybersecurity program for their retirement plan. Big data breaches can also attract the attention of the media, damaging the organization’s reputation.

Who owns retirement plan cybersecurity? A cyber chain of custody

Employers and plan sponsors may see the onus for retirement plan security as largely falling on vendors, but effective cybersecurity is a team sport, says Barthel. If plan data is a football that gets passed between many players—including recordkeepers, third-party administrators (TPAs), and custodians—there are lots of opportunities for a fumble, and any point of failure can lead to a catastrophe without effective protocols in place.

The buck stops with the employer, who’s responsible for hiring vendors and assessing their cybersecurity practices on a recurring basis. But retirement plan committees may not even know all the questions they should ask or have the expertise to thoroughly vet them in the first place.

To provide a framework for combating these threats—and signal how seriously they take it from a regulatory perspective—the DOL issued guidance that includes a 12-point list of Cybersecurity Program Best Practices. The guidance, issued in 2021 and further clarified in 2024, applies to ERISA-covered retirement plans as well as health and welfare plans. Some recommendations, like documenting a cybersecurity program, apply to both employers and service providers. Others are primarily relevant for service providers. But as the party responsible for hiring and overseeing them—and as the party ultimately accountable for the retirement plan—employers benefit from being well-versed in all of them.

Building a retirement plan cybersecurity program

The idea of tackling cybersecurity can feel daunting to employers with a lot on their plates and not enough resources. Barthel encourages a crawl, walk, run approach. At the minimum level, he says plan committees need to talk to their service providers and do basic due diligence at least once a year, “because the landscape is always changing.” The next level requires plan sponsors to dive deeply into the DOL recommendations with all plan vendors and make sure they’re fully covering all the bases. But he notes committees without IT representation may struggle: “Committees typically include human resources personnel, perhaps economics experts, and an investment officer—and that’s at bigger organizations—but there's no one there from tech or security. ‘Walking fast’ would have tech be part of the conversation.”