Cybersecurity and your 401(k) plan fiduciary duties

Did you know that systems and data security fall within a retirement plan fiduciary’s duties? Cybersecurity—or the protection of personally identifiable information—is integral to a 401(k) plan fiduciary’s responsibility to act in the best interests of participants and beneficiaries.

Cybersecurity is an ERISA fiduciary duty

According to the Employee Retirement Income Security Act of 1974 (ERISA), a fiduciary is obligated to take appropriate and necessary steps to protect the safety of participants’ accounts and information, just as they do with plan design, investment selection, and monitoring of fees and expenses. To this end, the U.S. Department of Labor (DOL) has provided broad, best-practice guidelines to address fiduciaries’ roles and responsibilities related to cybersecurity, which we’ve summarized below.

Six more steps to refining your cybersecurity approach

Culled from the DOL’s best-practices guidelines, here are six specific actions fiduciaries can consider to satisfy their cybersecurity responsibilities.

  Prudently select and monitor third-party service providers with a process that                    includes investigating how personally identifiable information (PII) is protected and          document the factors taken into consideration. Request information regarding the            providers’ data security systems and policies; also, review the results of providers’            SOC 2 audits and other industry-recognized certifications.

2   Review and, if necessary, amend agreements with service providers to ensure that           contractual provisions mandate the protection of plan data and the allocation of               liability.

3   Consider buying cyber-liability insurance or include cyber provisions in existing                 liability policies. Policies should cover liability resulting in litigation, as well as the             cost of and assistance and resources (such as credit monitoring or technical                     support) needed to minimize the impact of an actual breach.

4   Document, review, and update cybersecurity policies for comprehensiveness. Ensure       the ongoing monitoring of any covered service providers and employees with access         to plan data while also limiting the amount of data available to only what’s necessary.

5   Continue to educate fiduciaries (retaining an expert’s assistance, if necessary) to             ensure they’re informed regarding the functionality of the systems, as well as the             processes and procedures involved with the maintenance, retention, and protection         of PII.

6   Educate participants to do their part to protect against cybersecurity issues before         they occur, and communicate how to mitigate losses if information is compromised. 

In the end, cybersecurity is a fiduciary duty

As a fundamental principle, 401(k) plan fiduciaries are obligated to address PII under ERISA. The practices outlined here are part of a complete approach to developing and maintaining an appropriate cybersecurity strategy—and for fulfilling this important aspect of your fiduciary obligations.


1 “Cybersecurity Considerations for Benefit Plans,” the DOL’s Advisory Council on Employee Welfare and Pension Benefit Plans, November 2016. This includes knowledge of the cybersecurity protocols themselves, as well as the policies, protections, and guarantees of any involved administrative service providers, recordkeepers, payroll providers, third-party administrators, and financial professionals.


The content of this document is for general information only and is believed to be accurate and reliable as of the posting date, but may be subject to change. John Hancock and its representatives do not provide investment, tax, or legal advice. Please consult your own independent advisor as to any investment, tax, or legal statements made here. 


© 2019–2020 JohnHancock. All rights reserved.


MGTS-P 40226 GE-0484                        MGR091919499828 

Thomas Shola

Thomas Shola, 

Assistant Vice President, IT Cybersecurity Officer

John Hancock Retirement

Read bio