Cybersecurity checklist and questionnaire

Use this checklist and questionnaire to review and strengthen your plan’s cybersecurity.

1 - Familiarize yourself with legal issues
  • Learn state law requirements that apply to your plan. (While there isn’t a comprehensive federal cybersecurity law, all states have cybersecurity laws.) 
  • Most states require “reasonable security procedures” that are “appropriate to the nature of the information.”

Factors to consider: 

  • If your organization operates in more than one state, the laws of each state apply. Requirements under different laws may vary significantly.
  • Although ERISA doesn’t explicitly address cybersecurity issues, defining and implementing a comprehensive cybersecurity plan may help you defend against a fiduciary claim based on a cybersecurity breach.
2 - Be aware of ERISA requirements

Factors to consider:

  • If you electronically distribute plan information, you may have a duty under Department of Labor (DOL) regulation Section 2520.104b-1(c) to ensure that the system: (1) results in actual receipt of the transmitted information; and (2) protects the confidentiality of personal information. 

  • Act prudently when choosing service providers who will have access to participant data. It’s important to go through a comprehensive investigation and selection process. To help you get started, the questionnaire in this document includes some questions you may wish to ask potential service providers.

3 - Create a risk management strategy

In developing a risk management strategy:

  • Understand the types of data associated with the plan.
  • Determine how information is accessed, stored, shared, controlled, transmitted and secured (for example, by using encryption).
  • Consider the plan’s size, complexity and overall risk exposure to effectively coordinate the plan’s cybersecurity with your broader cybersecurity efforts.

Include the following in your cybersecurity strategy:

Testing                                      Control of access

Updating                                  Data retention and destruction

Reporting                                  Third party risk management


  • Delegate responsibility for design and implementation of the plan’s cybersecurity program to a single individual to maximize oversight.
  • Update your policy annually to protect against the latest risks.
  • Engage experts to help, if necessary.
4 - Remember third party risk management
  • Ensure a security assessment process is in place to evaluate all third party service providers who have access to plan data.
  • Make sure third party contracts include appropriate protections and a fair allocation of liability risk.
  • Determine whether the third party provider has adequate cybersecurity insurance.
  • Question each service provider. Potential questions are in the questionnaire included in this document.   
5 - Maintain adequate insurance
  • Review your existing insurance policies for cybersecurity coverage.
  • If your current insurance doesn’t offer adequate coverage, investigate special cybersecurity coverage. 
  • Closely review the terms of your cybersecurity coverage.

Please note: Be sure to consider first party coverage, which doesn’t require third party damages or a third party lawsuit). This coverage may include costs associated with direct risk management, disaster response and recovery assistance.


Cybersecurity questionnaire: Questions for providers
Do you have a comprehensive cybersecurity program?  
What are the elements of your cybersecurity program?  
How will retirement plan data be maintained and protected?  
How is data secured while in transit and in storage?  
What are your protocols for notifying plan management of a breach?  
Do you subcontract to others? If so, on what protections do you insist in your agreement with the subcontractor?  
What are your hiring and training practices (for example, background checks, screening practices and cyber training of personnel)?