Editorial Team, Author at PlanPILOT - Retirement Plan Consultants

How to Strengthen Fiduciary Oversight in Your Retirement Plan

Posted on February 12, 2026 by Editorial TeamLeave a comment

By Mark Olsen, Managing Director at PlanPILOT

Fulfilling fiduciary duties is the cornerstone of responsible retirement plan sponsorship. Under the Employee Retirement Income Security Act (ERISA), plan sponsors are legally obligated to act in the best interests of participants and their beneficiaries.

Failure to meet these obligations can lead to personal and plan sponsor liability, significant penalties, and costly litigation. With regulatory focus increasing, particularly concerning fee transparency and investment performance, a proactive, documented approach is essential.

At PlanPILOT, we understand the depth of the responsibilities plan sponsors face as well as the complications that can arise due to changing regulations and legislation governing retirement plans. In our view, regular review and upgrades go a long way in maintaining a sound and successful retirement plan.

Here is a practical guide for plan sponsors on raising their standard for fulfilling fiduciary duties in 2026.

Fiduciary Duties Checklist

Plan sponsors must adhere to five core fiduciary principles. These are the core of every quality design of policies and procedures

Act solely in the interest of participants: The primary purpose must be providing benefits and paying reasonable expenses.
Prudent person standard: Act with the care, skill, prudence, and diligence of a “prudent expert.”
Follow plan documents: Operate the plan according to its legal documents, unless they conflict with ERISA.
Diversify investments: Minimize the risk of large losses.
Pay reasonable expenses: Confirm fees paid for services are necessary and reasonable.

Establishing and Running a Fiduciary Committee

Creating a formal committee is a best practice for managing fiduciary responsibility, allowing for collective decision-making and proficiency.

Composition: Committees should typically have three to seven members, including representatives from finance, human resources, or leadership.
Charter: Adopt a formal committee charter defining its purpose, authority, and responsibilities.
Regular meetings: Meet quarterly, or at least semi-annually, to review investment performance, fees, and administrative tasks.
Training: Conduct regular training for committee members to understand their duties and stay updated on regulatory changes, such as SECURE 2.0.

Documentation Best Practices

Because prudence is evaluated by the process rather than just the outcome, documentation is your best defense in an audit.

Meeting minutes: Maintain detailed minutes for every meeting. Document what was discussed, data reviewed, decisions made, and the rationale behind them.
Investment policy statement (IPS): Establish an IPS that outlines investment strategy, objectives, and benchmarks for monitoring performance.
Service provider selection: Document the process for hiring, evaluating, and monitoring service providers, including RFP processes and fee benchmarking.
Secure record retention: Keep records of all committee meetings, participant communications, and fee disclosures for at least six years.

Avoiding Common Fiduciary Pitfalls

Even well-meaning sponsors can fall into traps. Be aware of these common mistakes we often see in retirement plans:

“Set it and forget it” investments: Failing to review the investment menu regularly, allowing underperforming or high-cost funds to remain
Failing to benchmark fees: Not comparing plan fees (both direct and indirect/revenue sharing) to industry standards, resulting in overpayment
Delayed contribution deposits: Failing to deposit employee deferrals on the earliest date they can reasonably be segregated from general assets; this is a high-risk area.
Inadequate monitoring: Assuming that hiring a third-party administrator (TPA) or advisor removes all responsibility; sponsors must monitor the monitors.
Ignoring operational defects: Failing to correct errors, such as missing a deadline for non-discrimination testing or ignoring participant complaints

Key 2026 Considerations

Taking steps now to review your plan can go a long way in heading off potential issues later in the year.

SECURE 2.0 implementation: Verify your plan is updated to comply with SECURE 2.0 provisions, which have introduced new administrative, eligibility, and reporting requirements. Take note of changes from the One Big Beautiful Bill Act (OBBBA) legislation last year, one of which was the tax treatment of catch-up contributions.
Data security: With the rise of cyber threats, fiduciaries are increasingly responsible for ensuring service providers have robust cybersecurity measures in place to protect participant data.
Proactive oversight: As the regulatory environment becomes more complex, consider engaging an independent fiduciary professional to help with benchmarking and compliance reviews.

Summary

Fiduciary duty is a continuous process, not a one-time event. By establishing a dedicated committee, thoroughly documenting decisions, and proactively monitoring fees and performance, plan sponsors can minimize risk and provide a high-quality retirement benefit to their employees. Seeking guidance from an experienced plan consultant can help plan sponsors navigate changes to regulations and requirements and streamline their oversight responsibilities.

How Robust Is Your Plan Oversight?

At PlanPILOT, we’re creating the standard for client experience. Independent and impartial by design, we apply our skill to each facet of plan development, governance, and implementation to help you enjoy meaningful results. Our client partnerships are built on trust, communication, and responsibility—cornerstones of a healthy, prosperous relationship. We’re committed to providing objective guidance, informed innovation, and an integrated approach tailored to your unique objectives.

Our team of seasoned professionals upholds the highest professional standards, so every strategy we recommend aims to support both your organization and the participants who depend on it.

Reach out to us at (312) 973-4913 or send an email to mark.olsen@PlanPILOT.com to learn more about how we can customize our services and your plan to fit your unique needs.

About Mark

Mark Olsen is the managing director at PlanPILOT, an independent retirement plan consulting firm headquartered in Chicago. PlanPILOT delivers comprehensive retirement plan advisory services to 401(k), 403(b), and 457 plan sponsors. His specialties include plan governance, investment searches, investment monitoring, and plan oversight. Mark is recognized as a leader in the industry and speaks at national conferences, including those organized by Pensions & Investments, and CUPA-HR.

What Plan Committees Get Wrong—and How to Fix the Issues

Posted on January 12, 2026 by Editorial TeamLeave a comment

By Mark Olsen, Managing Director at PlanPILOT

While plan committees normally have the best of intentions in administering the employer retirement plan, common missteps often arise from a lack of proper design and full understanding about the requirements of a successful and well-functioning program. These include the lack of formal structure, inadequate documentation of decisions, and insufficient oversight of plan operations and service providers.

In our long experience at PlanPILOT, adopting best practices for governance, documentation, and expert consultation can significantly mitigate fiduciary risk for plan sponsors, streamline administration and oversight processes, and improve plan health for participants.

Let’s explore what may be overlooked and steps committees can take to correct these issues.

Common Missteps

Failure to formalize the committee: Operating without a formal committee structure or charter leads to confusion over roles, responsibilities, and decision-making authority.
Lack of fiduciary training: Committee members may not fully understand their personal fiduciary responsibilities and potential liabilities under the Employee Retirement Income Security Act (ERISA), assuming third-party providers handle all risk.
Inadequate documentation: Failing to maintain detailed meeting minutes that record discussions, decisions, and the rationale behind them leaves the committee vulnerable in audits or lawsuits, as it cannot demonstrate a “prudent process.”
Ignoring plan documents: Operating the plan inconsistently with the terms outlined in the official plan document (e.g., incorrect compensation definitions, not following loan rules) is a common operational failure.
Infrequent or nonexistent meetings: Irregular meeting schedules or “committee collapse” indicates a lack of commitment and makes it difficult to conduct regular oversight and address issues promptly.
“Set it and forget it” mentality: Neglecting to regularly benchmark fees, review investment performance, or stay updated on legislative changes (like the SECURE Act) can result in excessive costs or underperforming options for participants.
Failure to use experts wisely: Not leveraging external experts (advisors, legal counsel, actuaries, plan consultants) for specialized guidance, or allowing internal current committee members to control the entire process (e.g., running their own RFP), can lead to conflicts of interest or missed opportunities for improvement.

Best Practices for Improvement

Establish a Formal Committee and Charter
- Formalize the committee’s existence, purpose, size (ideally 3-7 members), and the specific roles/titles of members (e.g., CFO, HR Director) in a written committee charter or bylaws.
- Ensure the charter defines authorities, operational procedures, and a process for removing inactive members.
Prioritize Fiduciary Education and Training
- Provide initial orientation and ongoing, regular training (perhaps quarterly) to confirm all members understand their fiduciary duties and stay abreast of regulatory changes.
- Consider obtaining fiduciary liability insurance for an added layer of protection.
Implement Rigorous Documentation Procedures
- Designate a secretary to take comprehensive meeting minutes to document all topics discussed, data reviewed (e.g., benchmarking reports), decisions made, and the reasoning for those decisions.
- Retain all supporting documentation and records consistently.
Adopt and Follow Key Documents
- Create and adhere to a well-defined Investment Policy Statement (IPS) that outlines investment objectives, risk tolerance, and performance benchmarks.
- Verify all plan operations align with the official plan document; conduct annual reviews to confirm compliance.
Establish Regular, Structured Oversight
- Schedule meetings at least quarterly using a consistent agenda to ensure key areas like investment monitoring, fee reviews, and compliance updates are covered.
- Run test files and perform quarterly spot-checks on payroll data to prevent common errors like late deferral deposits or incorrect eligibility/compensation calculations.
Leverage Expert Consultants and Providers
- Engage external, credentialed experts (e.g., a 3(21) or 3(38) investment advisor) to assist with complex tasks and provide objective insights.
- Conduct a full Request for Proposal (RFP) process for recordkeeping and other services every 3-5 years to ensure fees remain competitive and services are adequate.
Promote Transparency and Diversity
- Verify the committee’s composition is diverse (across functions, levels, and demographics) to bring different perspectives and better represent the participant base, depending upon company objectives and employee demographics.
- Implement clear processes for communication with the board of directors and plan participants.

How to Determine the Health of Your Plan Committee

Waiting until underlying issues become readily apparent and harmful is usually a recipe for bigger problems down the road, especially if your plan and committee functions haven’t been assessed in a long time. ERISA and IRS regulations change often, so keeping your plan up to date is essential to avoid violating fiduciary duties and maintaining effective plan governance. Scheduling a review with an experienced plan consultant could reveal important gaps in plan design or functionality.

How Well Does Your Plan Committee Function?

No one likes to discover issues with plan oversight, but knowing your plan and plan committee is well-designed, compliant with ERISA regulations, and operating smoothly can provide confidence and assurance that the result of a DOL or ERISA audit will likely be a “No Violation” closing letter.

Our team of seasoned professionals upholds the highest professional standards, so every strategy we recommend aims to support both your organization and the participants who depend on it.

Reach out to us at (312) 973-4913 or send an email to mark.olsen@PlanPILOT.com to learn more about how we can customize our services and your plan to fit your unique needs.

About Mark

The DOL Audit: How Plan Sponsors Prepare and What to Expect

Posted on December 9, 2025 by Editorial TeamLeave a comment

By Mark Olsen, Managing Director at PlanPILOT

For retirement and benefit plan sponsors, a Department of Labor (DOL) audit is normally not a welcomed event. Audits, though, are designed to make sure plans such as 401(k)s, 403(b)s, and pension programs are administered properly and comply with ERISA and tax rules.

Under ERISA, the DOL enforces fiduciary and reporting standards. Every covered plan must file an annual Form 5500, and plans of 100 or more participants must include an independent audit as part of their policies and procedures.

At PlanPILOT, “plan governance” is a core service we deliver to our plan sponsor clients. In our view, having a well-designed program with efficient documentation procedures and fiduciary training can help mitigate and avoid issues with ERISA regulations and auditors.

Let’s take a look at how sponsors can plan and prepare for the inevitable audit examination.

Prepare to Succeed

Plan sponsors should first establish robust internal controls and proactively organize comprehensive documentation. The best approach is to maintain compliance with ERISA regulations ahead of time and have a systematic, audit-ready recordkeeping system in place.

Internal Preparation

Effective internal preparation focuses on ongoing compliance and organization, not just a last-minute scramble.

Designate a point of contact: Appoint one primary internal contact to manage all communications and document requests.
Engage legal counsel and advisors: Consider engaging experienced ERISA legal counsel and experienced plan consultants. Consultants can assist in documentation preparation and advise on audit procedures and responses while attorneys can provide guidance, representation, and help maintain attorney-client privilege.
Conduct self-audits: Periodically review plan operations against plan documents and regulatory requirements to identify and correct issues proactively. Utilize plan consultants and use periodic “mock audits” to test the program’s procedures and documentation.
Establish strong internal controls: Implement and document clear policies and procedures for all plan activities, including eligibility, contributions, distributions, and loans.
Document fiduciary meetings: Maintain detailed minutes of all board and/or administrative committee meetings where plan decisions (e.g., investment choices, fee reviews, service provider selection) are discussed and approved.
Ensure proper bonding: Annually verify and document that all individuals who handle plan funds or property are covered by an adequate ERISA fidelity bond (typically at least 10% of the funds handled, with a minimum of $1,000 and generally a maximum of $500,000 unless the plan holds employer securities).
Communicate with service providers: Confirm that third-party administrators (TPAs), recordkeepers, and other vendors can readily provide their records or a SOC 1 report upon request.

Keep Essential Documentation

The DOL typically sends an initial letter outlining the required documentation. Having these items organized and readily accessible helps streamline the process.

Plan Legal Documents
- Executed Plan Document and all amendments
- Summary Plan Description (SPD) and any Summaries of Material Modification (SMMs)
- Current IRS determination or opinion letter
- Trust Agreement
Financial and Operational Records
- Prior years’ Form 5500 filings, including all associated schedules (e.g., Schedule H/I, Schedule A, Schedule C) and the independent auditor’s report (if applicable)
- Plan financial statements, general ledgers, account statements, and ledgers
- Payroll records and employee census data (list of all employees, including hire dates, compensation, and demographics)
- Detailed records of contributions remitted to the trust, by pay period, with proof of timely deposit
- Documentation of participant activity (enrollment forms, loan agreements, distribution paperwork)
Service Provider and Compliance Documentation

- All contracts and service agreements with plan providers (TPAs, investment managers, etc.), including fee schedules and compensation details
- The plan’s Investment Policy Statement (IPS) and documentation of adherence to a prudent process for selecting and monitoring investments
- Results of non-discrimination testing (ADP/ACP, top-heavy, coverage)
- Proof of the plan’s fidelity bond and fiduciary liability insurance policies

By proactively preparing this documentation and establishing clear internal procedures, plan sponsors can navigate a DOL audit efficiently and demonstrate a strong commitment to their fiduciary responsibilities.

When the Audit Notification Arrives

An audit of your retirement plan typically involves a thorough, multi-stage review of your plan’s compliance with the ERISA regulations, focusing heavily on documentation, fiduciary practices, and participant interactions. The process can take weeks to several months, depending on the complexity of the plan and any issues found.

The Audit Process: Step-by-Step

Initial Contact: You will receive a formal letter from the DOL’s Employee Benefits Security Administration (EBSA) notifying you of the audit and requesting a comprehensive list of documents to be submitted by a certain date.
Document Submission & Review: You must gather and provide extensive documentation, including plan documents and amendments, Form 5500 filings, payroll records, participant communications (e.g., Summary Plan Descriptions), and records of fiduciary meetings. An auditor will review these records and may request additional information.
On-Site or Virtual Interviews: The investigator may conduct interviews with plan fiduciaries, administrators, and potentially even participant-employees to verify that actual operations match the plan’s written documents and legal requirements.
Findings & Resolution
1. No Violations: You will receive a formal closing letter stating the investigation is complete.
2. Violations Found: EBSA will issue a letter detailing the violations and asking plan officials to voluntarily correct them. This may involve using programs like the Voluntary Fiduciary Correction Program (VFCP) to correct certain fiduciary breaches.
Penalties and Closing: After corrections are made and any penalties are paid, EBSA will issue a final closing letter. If plan sponsors refuse to cooperate or if the violations are severe (e.g., fraud), the case can be referred for litigation.

Key Areas of Focus

Auditors will primarily focus on:

Timeliness of contributions: Ensuring employee deferrals and loan repayments are deposited into the plan’s trust as soon as administratively possible (but no later than the 15th business day of the following month)
Fiduciary oversight: Verifying plan fiduciaries are acting in the best interest of participants by prudently selecting and monitoring investments, ensuring reasonable fees, and documenting all decisions
Compliance with plan documents: Confirming that the plan’s operations (e.g., eligibility, vesting, distributions) strictly adhere to the terms outlined in the official plan document
Reporting and disclosure: Checking that all required filings (Form 5500) were complete and timely, and all required participant notices were distributed

What to Do Initially

Your best initial response would be to cooperate promptly: respond to information requests quickly and professionally. As mentioned, designate a single point of contact to streamline communication with the investigator. Consult with your experienced legal counsel and plan consultant to help navigate the process.

Are You Prepared for a Visit From the DOL?

No one likes to learn they have been selected for a DOL audit, but knowing your plan is well-designed, compliant with ERISA regulations, and operating smoothly can provide confidence and assurance that the result of the audit will likely be a “No Violation” closing letter.

At PlanPILOT, we’re creating the standard for client experience. Independent and impartial by design, we apply our skill to every facet of plan development, governance, and implementation to help you enjoy meaningful results. Our client partnerships are built on trust, communication, and responsibility—cornerstones of a healthy, prosperous relationship. We’re committed to providing objective guidance, informed innovation, and an integrated approach tailored to your unique objectives.

Our team of seasoned professionals upholds the highest professional standards, so every strategy we recommend aims to support both your organization and the participants who depend on it.

Reach out to us at (312) 973-4913 or send an email to mark.olsen@PlanPILOT.com to learn more about how we can customize our services and your plan to fit your unique needs.

About Mark

The Retirement Readiness Gap: How Plan Sponsors Can Respond

Posted on November 12, 2025 by Editorial TeamLeave a comment

By Mark Olsen, Managing Director at PlanPILOT

As a plan sponsor for your company’s retirement plan, your role in helping your employees achieve their retirement goals may be more involved than you may think. Even though you’re likely acting responsibly, managing the mechanics of the plan and meeting fiduciary obligations, you have the opportunity to help your participants meet lifelong objectives that could significantly impact their retirement futures. One of the most valuable gifts you can offer is the ability for participants to retire on time, with financial stability and dignity.

At PlanPILOT, we believe that providing more than just the basics in a company retirement plan not only helps with employee retention and job satisfaction, but also provides an opportunity to make an impact on the lives of employees and their families.

To help employees close their retirement savings gap, plan sponsors can adopt several actionable strategies, including optimizing plan design, improving financial wellness offerings, and simplifying the retirement planning experience. Leveraging behavioral science can significantly boost participation and contribution rates. Let’s see how these could be implemented.

Optimize Plan Design Using Automation

Implement automatic enrollment and escalation: Automatically enroll new employees in the retirement plan at a default contribution rate and gradually increase their contributions over time. If desired, employees may opt-out or adjust their contributions, but this ‘gentle introduction’ may help get them started.
- This counters employee inertia, dramatically boosting participation and savings rates. Under the SECURE 2.0 Act, many new 401(k) and 403(b) plans are required to use automatic enrollment and escalation.

Improve investment defaults: Default employees into well-designed, diversified investments like low-cost target-date funds (TDFs). These automatically adjust asset allocation as a participant ages, making investing simple.
Offer both Roth and traditional 401(k) options: Give employees the flexibility to choose their tax advantage. Roth contributions are made with after-tax dollars, and qualified withdrawals in retirement are tax-free, while traditional defined contribution plans offer a tax break today. Today’s younger participants are more inclined to save in after-tax Roth accounts than traditional tax-deductible ones.
Facilitate higher catch-up contributions: Inform and educate older employees about the SECURE 2.0 rules, which provide higher catch-up contribution limits for those ages 50 and over. (Note that “catch-up” contributions must be made into after-tax Roth 401(k) or 403(b) accounts starting in 2026 for higher-paid older employees. Be sure to add this aspect to your plan to help your older participants save more).

Enhance Financial Wellness and Education

Provide financial coaching: Offer employees one-on-one sessions with financial advisors or coaches to discuss personal finances, including budgeting, debt management, and retirement goals. Personalized advice addresses individual needs and can result in tangible actions.
Promote emergency savings options: Employees with high-interest debt or low emergency savings often feel they cannot afford to save for retirement. Offering a workplace emergency savings account (ESA) can help reduce financial stress and improve long-term retirement savings.
- Since 2024, the SECURE 2.0 Act has allowed for pension-linked emergency savings accounts (PLESAs), which are part of a defined contribution plan. Separate, “out of plan” ESAs can also be offered, with more flexibility for employees.
Implement student loan matching: Under SECURE 2.0, employers can “match” an employee’s student loan payments with contributions to their retirement plan. This can help alleviate high debt loads, especially for younger employees, without sacrificing retirement savings. Student loan debt remains an issue for many younger workers.
Use visual and interactive tools: Provide online calculators and tools that allow employees to model various savings scenarios. Seeing the potential impact of small contribution increases can motivate them to save more.

Improve Communication and Engagement

Provide personalized statements and reports: Instead of generic mailers, provide personalized reports to employees showing their estimated monthly retirement income and how they compare to peers.
Simplify plan communication: Use clear, simple language to communicate plan benefits. Overly complex or jargon-filled information can overwhelm employees and discourage participation.
Leverage social proof: Use peer comparisons to motivate employees. For example, a statement can show how an employee’s savings rate compares to the average for their team or age group.
Promote a culture of financial wellness: Position retirement benefits as a vital part of overall financial wellness. Emphasize that the company is invested in its employees’ long-term financial stability to increase loyalty and engagement.

Enhance Retirement Income Solutions

Offer in-plan income solutions: Provide options within the retirement plan for converting savings into a reliable income stream during retirement. This can include annuities, managed payout funds, or customized managed accounts that offer both growth potential and stability.
Consolidate accounts with auto-portability: This is especially helpful for younger employees who change jobs frequently. Auto-portability can automatically transfer an employee’s small-balance retirement account to a new employer’s plan, preventing lost or forgotten savings.

In summary, implementing even a few of these strategies can inspire and motivate employees to have confidence in saving for their future. Inspired employees who also have confidence their employer is doing its best to help can improve employee morale, productivity, and deliver ancillary benefits to everyone.

Are Your Participants Behind Saving for Retirement?

Are you ready to upgrade to a new standard for your benefit planning and company retirement plan to help your employees meet their retirement goals?

At PlanPILOT, we’re creating the standard for client experience. Independent and impartial by design, we apply our skill to every facet of plan development and implementation to help you enjoy meaningful results. Our client partnerships are built on trust, communication, and responsibility—cornerstones of a healthy, prosperous relationship. We’re committed to providing unbiased guidance, informed innovation, and an integrated approach tailored to your unique objectives.

Our team of seasoned professionals upholds the highest professional standards, so every strategy we recommend supports both your organization and the participants who depend on it.

Reach out to us at (312) 973-4913 or send an email to mark.olsen@PlanPILOT.com to learn more about how we can customize our services and your plan to fit your unique needs.

About Mark

What Retirement Plan Sponsors Need to Know About Cybersecurity

Posted on November 5, 2025 by Editorial TeamLeave a comment

By Mark Olsen, Managing Director at PlanPILOT

While October is recognized as Cybersecurity Awareness Month, the topic deserves attention year-round. For retirement plan sponsors, creating and maintaining an incident response plan is a critical fiduciary responsibility. It involves developing procedures for handling breaches, learning from real-world examples, and training internal teams and committee members on cybersecurity awareness.

At PlanPILOT, we are all too aware of the havoc a cybersecurity breach can cause to operations and participant confidence. Implementing a sound and effective plan to combat cyberattacks and preserve sensitive participant and plan information can not only boost employee morale and confidence, but also demonstrate fiduciary responsibility as a plan sponsor.

Let’s take a look at how such a Cybersecurity Response Plan might be implemented.

Steps for Creating and Maintaining an Incident Response Plan

According to the Department of Labor (DOL) and cybersecurity experts, a robust incident response plan (IRP) follows these steps:

1. Preparation

Create a formal cybersecurity program: Document your policies and establish a clear plan. Require senior management and response teams to review and clearly understand these policies and procedures. Have the “manual” readily available for review and retrieval when requested in an audit.
Conduct risk assessments: Annually identify and address vulnerabilities in your IT systems, including those of third-party vendors. Work with IT consultants who have up-to-date knowledge of ever-changing cyber threats and breach techniques.
Establish an incident response team: Define roles, responsibilities, and authority levels for a dedicated team (also known as a Computer Security Incident Response Team, or CSIRT) that can act swiftly.
Identify and categorize incidents: Define what constitutes a cybersecurity incident for your organization based on severity and potential impact.
Define communication protocols: Create procedures for internal and external communication with stakeholders, including participants, regulators, and legal counsel. Some P&C insurers will require inclusion in communications if claims for breaches are part of covered risks.

2. Detection and analysis

Monitor systems: Use monitoring tools and alert systems to detect potential security incidents. Schedule and document regular testing of such systems.
Validate potential threats: Thoroughly investigate and confirm whether a detected event is a real security incident.

3. Containment, eradication, and recovery

Contain the breach: Implement response protocols to quickly isolate affected systems and limit the exposure of data.
Engage experts: Bring in cybersecurity and forensics professionals to help remediate the breach.
Remove the threat: Eradicate the root cause of the incident, such as malware or unauthorized access, and patch vulnerabilities.
Recover and restore: Restore systems from clean backups and resume normal operations as quickly as possible.

4. Post-incident activities

Conduct a blameless retrospective: Document the full incident timeline and analyze the effectiveness of the response.
Update the plan: Learn from the incident to improve the IRP and overall security posture. Revise the plan annually or after any significant organizational change.
Document and report: Create detailed incident reports for legal and regulatory purposes.

Examples of Breaches and Lessons Learned

Recent breaches targeting retirement plans and associated third-party vendors offer valuable lessons for plan sponsors.

JP Morgan Chase data breach (2024): A software flaw exposed the personal information of over 451,000 retirement plan participants for an extended period. JP Morgan Chase is not only one of the world’s largest banks, but also a financial powerhouse, subject to scrutiny and cybersecurity regulations in banking and securities trading.
- Lesson: Vulnerabilities in systems and third-party software can lead to data breaches even without a direct cyberattack. Regular, thorough security reviews of all software are essential.

MOVEit cyberattack (2023): Vulnerabilities in a third-party file transfer tool led to breaches at several public pension systems and major recordkeepers, affecting millions of individuals.
- Lesson: Third-party vendors are a major source of risk. Plan sponsors must conduct strict due diligence on all vendors and maintain robust security controls.

Account takeovers: Criminals are increasingly aware that retirement plans are a valuable target. They use stolen participant data to take out unapproved loans or redirect funds.
- Lesson: Encourage participants to use strong, unique passwords and multi-factor authentication. Plan sponsors should also invest in modern fraud surveillance systems.

Training Internal Teams and Committee Members

Effective training can significantly reduce the risk of a breach and improve a plan’s response. The training should be tailored to the audience and provided regularly.

Regular awareness training: Educate all staff on how to recognize phishing emails, social engineering tactics, and other common threats.
Phishing simulations: Conduct regular phishing tests to measure employee vulnerability and reinforce lessons learned from training.
Data handling protocols: Train employees on how to securely handle sensitive data, use corporate devices, and access plan information.
Breach action plan: Train teams on their specific roles within the incident response plan, including detection, containment, and notification procedures.
Best practices: Promote strong passwords, use of multi-factor authentication, and vigilance against suspicious communications.

For Retirement Plan Committee Members

Understand fiduciary duty: Train committee members on their fiduciary responsibility for protecting plan assets and participant data.
Address key risks: Educate the committee on the specific cybersecurity risks facing the plan, including third-party vendor risks and account takeovers.
Review and approve policies: Train committee members on how to evaluate and approve the plan’s cybersecurity policies and incident response procedures.
Discuss vendor controls: Review Service Organization Control (SOC) reports and other security audits from recordkeepers and other vendors.
Conduct tabletop exercises: Simulate a breach scenario with the committee to test the incident response plan and evaluate decision-making under pressure.

In today’s fast-changing world of technology, cybersecurity and guarding against attacks on company IT systems is not only critical to protecting company information and operations, but an essential part of robust fiduciary responsibilities for retirement plan sponsors.

Plan sponsors interested in upgrading or implementing a cybersecurity protection and response plan would be wise to work with qualified benefit consultants who can offer customized plan design tailored to company objectives and resources as well as a good match with participant goals and demographics.

Is Your Company Retirement Plan Protected Against Cyberattacks?

Are you ready to upgrade to a new standard for your benefit planning and company retirement plan? Reach out to us at (312) 973-4913 or send an email to mark.olsen@PlanPILOT.com to learn more about how we can customize our services and your plan to fit your unique needs.