That simple sentence captures the reality facing not only companies but the retirement industry itself—threatening plan sponsors, TPAs, recordkeepers, and every vendor who touches retirement plan data or assets.

Cybersecurity has become a forever hot topic—an issue that never cools off. Fortune 500 companies scramble to protect their systems as breaches at T-Mobile, LinkedIn, and Colonial Pipeline have proven that even sophisticated defenses aren’t invincible. By 2025 cyberattacks ranged from ransomware campaigns to massive data breaches, highlighting the critical need for strong controls and constant vigilance.

Cyberattacks have evolved from rare events into everyday risks, taking cybercrime to new heights. Cybercrime itself is defined by G’Secure Labs as “any unauthorized attempt to access, control, modify, or disrupt an asset of a computer system or network.” Think of it as a three-legged stool—each part connected to the others. Cybercrime is the offense, cyberattacks are the methods used to carry it out, and cybersecurity is the strategy designed to prevent and defend against them.

Cybercrime is a trillion-dollar criminal enterprise. A 2025 Astra Cyber report found that 43% of attacks target small and mid-size businesses, not just the Fortune 500 giants we usually hear about. The cost is staggering: a 2023 IBM study found that 95% of companies have suffered at least one cybersecurity-related incident, while a 2025 TIAA report placed total U.S. losses at $16.6 billion. Individuals pay a steep price as well—6.5 million victims lost roughly $26 billion between 2001 and 2021.

The retirement industry is an especially tempting target. With trillions of dollars under management and millions of participant accounts, it offers an almost irresistible combination of high-value assets and uneven security practices—a virtual welcome mat for hackers. Retirement plan cybersecurity is no longer a technical footnote; it’s now a core component of plan administration.

Breaches Hit Home

Even so, “It can’t happen to us,” remained a common refrain—until mid-2023 when a major data breach shook the retirement industry to its very foundations. Hackers infiltrated MOVEit, a widely-used file transfer application containing names, Social Security numbers, and account information from numerous recordkeepers and held it for ransom. Considered a “hydra-headed” attack, it spread quickly across multiple vendors and prompted administrators and services providers alike to reassess their cybersecurity readiness.

The MOVEit breach wasn’t an isolated incident. In late April 2025, Alera Group announced a breach that had occurred almost a year earlier, in the summer of 2024. Alera discovered the breach quickly and launched an internal investigation into it, but public disclosure didn’t occur until months later. That delay isn’t unusual, but it underscores a difficult reality for service providers balancing careful fact-finding against the need to communicate quickly enough to maintain trust.

Cybersecurity is no longer just an IT issue—it’s a fiduciary and operational issue as well.

When breaches hit retirement plans, the fallout isn’t limited to data loss. It exposes plan fiduciaries to legal risk and erodes the trust that underpins every client and participant relationship.

Breaches Hit Employees’ Retirement Security

ERISA was written long before the digital age, so it contains no specific provisions on cybersecurity. For years, courts were left to interpret how fiduciary standards apply to cyber incidents. The Department of Labor eventually stepped in, issuing its first cybersecurity guidance in 2021 and updating it in 2024—but guidance is not law.

And so far, federal law hasn’t provided a solution for who’s responsible when cybertheft occurs, leaving thorny questions about whether losses fall on the service provider, the fiduciary who hired and monitors that provider, or the innocent participant. The issue is further complicated by the fact that many recordkeepers are not ERISA fiduciaries at all.

Breaches in retirement plans don’t just expose data, they also expose fiduciaries. In Berman v. Estée Lauder, hackers used stolen credentials to empty a participant’s 401(k) account. In Bartnett v. Abbott Laboratories, a similar scheme resulted in unauthorized distributions. Both cases underscored that protecting participant data is part of a fiduciary’s duty of care under ERISA—and that failure to act prudently can lead to costly lawsuits.

A more recent example, Disberry v. Employee Relations Committee of Colgate-Palmolive, involved a $750,000 account drained after hackers called the recordkeeper’s service center, changed personal data and banking information, and bypassed several of the plan’s safeguards. The case may help further define the division of responsibility between fiduciaries and service providers.

When cybertheft strikes a retirement plan, it’s the participants who often suffer the most. Even when stolen funds are eventually restored, they often lose something they can’t get back: the growth their savings would have earned—and their trust in the plan meant to provide retirement security. The disruption, stress, and months-long investigations can leave employees feeling powerless at precisely the moment they most need stability.

Sources of Retirement Plan Theft

As discussed, cybersecurity for retirement plans is essential. Cyberthieves know that retirement plans hold valuable information and assets— and not every company’s defenses are the same. Smaller plans, in particular, may be more vulnerable since their internal controls tend to be weaker.

The challenge is that attacks can come from almost anywhere—inside or outside the organization—and often from unlikely sources no one would ever imagine being involved. Two of the most common are participant impersonation and hacking.

Participant impersonation is the most common form of identity theft in retirement plans. The thief poses as a real participant—often using information obtained through phishing—to request an address change or a distribution.  Once the address is updated, the money is sent to the thief, who disappears before anyone realizes what has happened.

Hacking occurs when someone gains unauthorized access to a plan’s computer systems, either through stolen passwords or by exploiting weak security settings. Hacking can take several forms, including:

• Phishing. A scam in which attackers impersonate a trusted source or legitimate organization and trick employees or participants into revealing sensitive information by clicking on fake emails or website links.

• Malware. Malicious software that infiltrates a computer system and, once triggered, can damage the system while also allowing hackers to access files and steal personal data.

• Ransomware. A type of malware that locks files or disables access to a computer system until a ransom is paid.

Every one of these threats carries not only financial risk but fiduciary risk. Cybersecurity is no longer just about technology—it has evolved into a core fiduciary obligation, as clarified by the Department of Labor (DOL).

The Fiduciary Factor

First, what is a fiduciary?

A fiduciary is someone who is legally required to act in the best interests of others. Under ERISA, this responsibility is framed as a duty of “prudence”—acting with the care, skill, and diligence that an expert would use in similar circumstances.

In the retirement world, a fiduciary isn’t determined by job title, but by the functions a person actually performs, such as when they:

• exercise discretion in managing the plan,

• control plan assets, or

• have discretionary authority in plan administration.

Not every plan-related task is a fiduciary one, though. Some—like deciding whether to establish a retirement plan or what type of plan to offer—are purely business decisions. But once the plan is in place, decisions that affect the terms of the plan itself become fiduciary in nature. The line is simple: business choices stop where discretionary control over plan assets, administration, or participant data begins.

Anyone who performs these functions—whether they’re an employer (plan sponsor), third-party administrator, trustee, or an investment advisor—is required to act prudently and in the best interest of plan participants and beneficiaries. Hiring someone to carry out fiduciary functions is itself a fiduciary act.

And today, while ERISA predates the digital era, the duty of prudence now clearly extends to cybersecurity, having caught the attention of the DOL, who emphasized this in its 2021 cybersecurity guidance and reaffirmed in 2024. But guidance is not law—and federal law still doesn’t specify who is liable when cybertheft occurs, leaving unanswered questions about whether losses fall on the service provider, the sponsoring employer, or the innocent participant.

Because the legal landscape is still so unsettled, the DOL’s guidance remains the closest thing fiduciaries have to a roadmap. It highlights three areas plan sponsors should treat as part of their duty of prudence to safeguard participant data and assets:

• Vetting vendors. Carefully reviewing service providers’ cybersecurity programs—practices, policies, and procedures—as well as checking for any past breaches.

• Internal best practices. Maintaining well-documented policies for protecting plan data and managing cyber risks.

• Online safeguards. Educating participants on how to protect their accounts and keep their identities safe.

Plan sponsors don’t have to be cybersecurity experts, but they do need to hire qualified help when needed—and document the advice they receive and the actions they take. And even with multiple vendors involved, the ultimate responsibility still rests with the plan sponsor. The buck stops there.

And part of meeting that responsibility today is making sure the tools that support the plan are secure.

The Expanding Tech Landscape—Modern Tools for Modern Cybersecurity Needs

Retirement plan operations look very different today than they did even five years ago. Plans now rely on digital payroll integrations, cloud-based recordkeeping, automated government filings, and AI-driven analytics instead of paper. The upside is efficiency. The downside is that every new connection adds another point of cyber vulnerability.

In this environment, plan sponsors need both stronger internal controls and technology partners whose cybersecurity standards match—or exceed—their own.

Stax.ai Helps Reduce Cyber Risk

Stax.ai is built with cybersecurity at its core. Its platforms are SOC 2 Type II certified—the gold standard for data security and a requirement for many 401(k) audits. They use encryption for data at rest and in transit, perform daily backups and regular security audits, and provide centralized workflows that reduce exposure from email, manual steps, and scattered documents.

Protecting plan data is a shared responsibility—but choosing secure, audit-ready technology is one of the smartest steps a plan sponsor can take.

Closing Thoughts

Stax.ai’s CX system strengthens those defenses with encrypted file transfers, secure client communication, and a secure, centralized environment where sensitive plan information stays protected.