Cybersecurity in the Age of AI: Best Practices for Employee Benefits Administration

Introduction

Cybersecurity has become a critical concern for employee benefit plan fiduciaries. With trillions of dollars in retirement assets and vast amounts of sensitive participant data at stake, benefit plans represent attractive targets for cybercriminals. At the same time, the growing use of artificial intelligence (AI) in benefits administration introduces new cybersecurity vulnerabilities that fiduciaries must address. This article provides background on Department of Labor (DOL) cybersecurity guidance, examines cybersecurity risks associated with AI tools, and offers practical steps for managing these risks.

DOL Cybersecurity Guidance and Enforcement Priority

In April 2021, the DOL’s Employee Benefits Security Administration (EBSA) issued its first-ever guidance on cybersecurity for employee benefit plans. In September 2024, EBSA updated the guidance to clarify that all employee benefit plans (both retirement and health and welfare plans) are covered by its cybersecurity requirements. The guidance makes clear that the DOL views cybersecurity as an ERISA fiduciary responsibility. Plan fiduciaries must ensure proper mitigation of cybersecurity risks as part of their duty of prudence, including prudently selecting and monitoring service providers who handle participant data and plan assets. In other words, fiduciaries cannot simply rely on service providers to manage these risks — their active and ongoing oversight is required. 

Although this initial guidance is now over four years old, cybersecurity remains a top DOL priority. Earlier this year, EBSA released its 2026 enforcement priorities, with cybersecurity topping the list. EBSA has also incorporated cybersecurity questions into its standard plan audit protocols, with investigators now requesting documentation regarding cybersecurity policies, service provider agreements, and incident response procedures.

The Impact of AI on Cybersecurity AI tools are increasingly used in benefits administration, from chatbots answering participant questions to algorithms processing claims and generating investment recommendations. While these tools can improve efficiency, they also introduce new cybersecurity risks that fiduciaries must evaluate. (For more information about broader fiduciary considerations with the use of AI in 401(k) plans, see our previous article: Generative Artificial Intelligence (AI) and 401(k) Plan Fiduciary Implications.)

First, AI systems often require access to vast amounts of sensitive data to function effectively. This concentration of data creates attractive targets for cyberattacks. A breach of an AI system may expose not only current participant information, but also historical data used to train the models.

Second, AI tools may be vulnerable to “adversarial attacks” — cyberattacks specifically designed to manipulate AI outputs. Bad actors could potentially manipulate AI systems to approve fraudulent transactions, provide incorrect benefit information, or bypass security controls. The complexity of some AI systems can make such attacks difficult to detect.

Third, the integration of AI with other plan systems could create additional security vulnerabilities. AI tools often connect to multiple databases, communication platforms, and third-party services. Each integration point represents a potential vulnerability. 

Cybersecurity Best Practices

Based on the DOL’s guidance and emerging best practices, fiduciaries should consider implementing the following measures:

1. Vendor Due Diligence. When selecting service providers, evaluate their cybersecurity practices as part of the prudent selection process. Request and review their written cybersecurity policies, inquire about security certifications and cybersecurity insurance, and ask about incident history. Given that vendors increasingly use AI, specifically ask whether AI is being used and for what purposes, what data these AI tools can access, and how that data is stored and protected. And, because fiduciary responsibility does not end after vendor selection, implement ongoing monitoring procedures, including requiring periodic cybersecurity reports and/or certifications from service providers.
2. Contractual Protections. Service agreements should include robust cybersecurity provisions. Key terms to review include: whether there is a clear allocation of responsibility for data security and breach liability; requirements for the service provider to maintain specified security controls; notification obligations for security incidents; annual cybersecurity reports or certifications; audit rights permitting the plan to verify security compliance; restrictions on subcontracting with requirements for subcontractor oversight; and provisions addressing AI-specific risks, including data usage limitations and security testing requirements.
3. Participant Education. Educated participants serve as an important line of defense against social engineering and account takeover attacks. Consistent with DOL guidance, communicate cybersecurity best practices to plan participants. Encourage strong passwords, multi-factor authentication, and regular monitoring of account activity. Provide clear instructions for reporting suspected fraud or unauthorized account access.
4. Employee Education. Human error remains a leading cause of data breaches. Fiduciaries should ensure that all individuals with access to plan data receive regular cybersecurity training, at least annually. Training should cover how to recognize phishing emails and social engineering attempts, proper handling of sensitive information (including appropriate and inappropriate use of AI), and procedures for reporting suspected incidents. Also consider including a statement on cybersecurity in your Summary Plan Description that directs participants to the DOL’s online security tips.
5. Documentation. Last, but certainly not least, document all cybersecurity-related decisions. This includes records of service provider evaluations, ongoing vendor reviews, training activities, cybersecurity policy reviews updates, incident response actions, and insurance reviews. Documentation of decisions should include both a record of the final decision and the information reviewed in coming to such decision. In the event of a DOL audit or participant complaint, these records will demonstrate that the fiduciary acted prudently and in accordance with ERISA obligations. Without a good record, your other prudent actions may be for nothing if you have no way to prove they happened.