The Employee Retirement Income Security Act of 1974 (ERISA) is a federal law that establishes minimum protection requirements for retirement and health insurance plans established voluntarily by private industries nationwide. Plans covered by ERISA often hold substantial monetary assets and maintain personal data on participants. As you can imagine, this puts quite a target on their back when it comes to cyber risk.
Fiduciary Responsibilities for Mitigating Cyber Risk Under ERISA
Plan fiduciaries must ensure the proper mitigation of cybersecurity risks. The Employee Benefits Security Administration, a United States Department of Labor agency responsible for administering and enforcing laws related to ERISA benefits plans, has developed the following best practices for use by those responsible for plan-related IT systems and data, as well as for plan fiduciaries contracting with service providers.
Key Cybersecurity Practices for ERISA Plan Service Providers
- Have a formal, well-documented cybersecurity program in place.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party audit of security controls.
- Clearly define and assign information security roles and responsibilities to ensure effective management.
- Have strong access control procedures.
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Implement an effective business resiliency program that addresses business continuity, disaster recovery, and incident response.
- Encrypt sensitive data, stored and in transit.
- Implement strong technical controls by best security practices.
- Appropriately respond to any past cybersecurity incidents.
The full description of the above list can be found here: DOL Cybersecurity Program Best Practices.
How FoxPointe & UAS Support ERISA Plan Sponsors
FoxPointe, in partnership with United Actuarial Services (UAS), has developed a cybersecurity support program designed to help ERISA benefit plan sponsors address the above cybersecurity best practices across its identified plan vendors that come in contact with plan or participant data and dollars. One of the best ways to assess compliance with any information security standard, guideline, or law is to have an expert and independent analysis to measure how currently implemented practices align with the required standards. Whether you are assessing the compliance levels of your information security practices or those of your vendors and third-party service providers, efficiency, expertise, quality, and cost are of the utmost value.
Why Third-Party Breach Risks Are Rising & What ERISA Plans Must Do
With the consistent increase in the frequency of breaches involving third-party vendors across all industries, not just health and benefits plan service providers, the importance of measuring risk in our third-party relationships is becoming increasingly crucial to maintain a well-operating information security risk management program. The 2025 Verizon Data Breach Investigations Report (DBIR) revealed a significant increase in third-party involvement in data breaches, doubling from 15% to 30% in one year.
Automating Vendor Cybersecurity Compliance for ERISA Plans
FoxPointe and UAS have identified a clear need for a more efficient and standardized process for assessing third-party compliance with cybersecurity requirements. This service enables you to put your annual vendor cybersecurity compliance tracking on autopilot, while providing you with the assurance that a team of industry experts is securing the necessary assurances to maintain your ongoing service provider relationships. If you are an ERISA-covered benefit plan seeking a genuine path forward in this space, please do not hesitate to reach out for a deeper conversation about this new and emerging service, which addresses an area of seemingly ever-increasing information security risk.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.