Cybersecurity Program Best Practices for EBPs

For fiduciaries of ERISA-covered pension and health and welfare plans, the mandate to safeguard plan assets and sensitive participant information is not merely prudent—it's a foundational obligation. With plans often holding millions of dollars and sensitive personally identifiable information (PII), they present an attractive target for cyber-criminals.

At CSH, we bring our extensive experience in auditing and consulting on employee benefit plans, combined with our best-in-class cybersecurity solutions, to help organizations implement effective protections. Read on to discover eight best practices every plan fiduciary and service provider should follow:

A well-documented cybersecurity program is the foundation of risk management. It must include formal information security policies, clear governance frameworks, and annual independent reviews to ensure controls remain effective. Leadership approval and regular updates to the program are essential, as is annual cybersecurity awareness training for all personnel.

With the threat landscape constantly evolving, annual risk assessments help organizations stay ahead. These assessments must methodically identify and prioritize risks to information systems and guide decision-making around cybersecurity investments and mitigation strategies.

Independent audits provide an objective evaluation of an organization's cybersecurity controls. Audit reports should be prepared under appropriate standards, with documented corrections for any weaknesses found. This independent review offers critical transparency to fiduciaries and participants alike.

Effective cybersecurity programs clearly define roles and responsibilities, led by a qualified Chief Information Security Officer (CISO). Access control practices—including frequent review of user privileges, enforcement of strong password policies, and consistent use of multi-factor authentication (MFA)—are critical to limiting exposure to threats.

Given the prevalence of cloud solutions and outsourced services, fiduciaries must ensure that third-party providers adhere to rigorous cybersecurity practices. This includes periodic assessments, documented security standards, and contractual protections around data privacy and breach notification protocols.

Organizations must embed security into system development life cycles (SDLCs) and conduct penetration testing, vulnerability scanning, and secure code reviews. In parallel, business resiliency planning must be tested and refined regularly, including business continuity, disaster recovery, and incident response plans.

Encryption of sensitive data both in transit and at rest is non-negotiable. Additionally, organizations must maintain up-to-date firewalls, antivirus software, patch management practices, and network segmentation to fortify their infrastructure.

In the event of a breach, swift action is required: notifying law enforcement and participants, mitigating damages, fulfilling legal obligations, and remediating vulnerabilities to prevent recurrence.

At CSH, we not only audit and consult on employee benefit plans but also deliver cybersecurity solutions—including third-party risk assessments—to protect your plans, your participants, and your reputation. Through our consulting arm, Clark Schaefer Consulting, we offer a whole suite of solutions to strengthen our clients’ cybersecurity posture and meet their fiduciary obligations with confidence.

Connect with us today and learn more about how we can support your organization.