Heightened Cybersecurity Concerns in Retirement Plans, and What Asteri Collective Member Firms Must Do

Rising Security Risks in Retirement Plans

A June 2025 NAPA-Net / Escalent survey shows that cybersecurity threats and data breaches are now the top concern for 401(k) plan sponsors of all sizes. NAPA.net Some of the key findings:

  • 52% of plan sponsor respondents named cybersecurity/data breaches as their greatest fear. 
  • 7% of all plan sponsors, and 10% of large/mega plans, reported experiencing a 401(k)-related data breach in the past year.
  • These concerns now eclipse worries about underperforming investment options (45%) and employees not saving enough for retirement (43%).

This shift isn’t surprising. Retirement plan data is highly sensitive, the stakes are high, and bad actors (cybercriminals) are increasingly sophisticated. A breach doesn’t just cost money, it can cost trust, regulatory exposure, and reputation. For RPCs – Retirement Plan Consultants (formerly known as TPAs), recordkeepers, and other service providers, the pressure is on to increase cyber security protocols, policies and procedures..

What the Regulatory & Fiduciary Landscape Requires

  • The Department of Labor (DOL) has issued guidance that retirement plan audits will increasingly include scrutiny of cybersecurity policies and procedures. 
  • Plan sponsors are expected to do due diligence on providers, monitor their security practices, document everything, and ensure their cybersecurity posture is more than paper or promise. 
  • Best practices are converging around encryption, multi-factor authentication (MFA), regular vulnerability and penetration testing, incident response planning, and mandatory vendor security questionnaires.

Strong Cybersecurity as Membership Criteria

To ensure the firms in our network are able to win, retain, and serve clients confidently in this environment, all Asteri Collective member companies must meet stringent cybersecurity standards. These include but are not limited to:

  1. Formal Cybersecurity Policy & Governance
    • Documented policies that govern data handling, access control, employee training, incident response, roles & responsibilities.
    • Regular reviews and updates to policy (at least annually). 
  2. Data Security Controls
    • Encryption of data both in transit and at rest.
    • Use of multi-factor authentication (MFA) for access to sensitive systems.
    • Least privilege access; strict user access management. 
  3. Vendor & Third-Party Risk Management
    • Security questionnaires for all vendors handling plan participant data.
    • Periodic audits, or proof of third-party audits / security certifications.
    • Penetration testing and vulnerability scanning for systems that process or store sensitive data. 
  4. Incident Response & Breach Notification
    • Clear incident response plan.
    • Defined escalation paths, roles, timeframes.
    • Legal/regulatory compliance in breach notification (to sponsors, participants, regulators) as needed. 
  5. Ongoing Monitoring & Testing
    • Regular internal and external audits.
    • Pen-tests, vulnerability assessments.
    • Secure logging, monitoring, and alerting of anomalous behavior. 
  6. Employee Training & Security Culture
    • Security awareness training (phishing, data handling, password hygiene) for all staff.
    • Role-based training for employees with elevated permissions.
    • Clear policies around remote access, devices, and multi-device security. 
  7. Data Privacy and Regulatory Alignment
    • Compliance with relevant laws/regulations (e.g. standards from DOL, SECURE Act, state privacy laws, where applicable).
    • Data minimization (only collecting what’s needed), retention policy, and secure disposal.

Why These Security Measures Matter

By holding member firms to high security standards, the Asteri Collective aims to deliver:

  • Trust & Competitive Differentiation: Advisors and plan sponsors will increasingly choose providers who can demonstrate robust cyber hygiene. Meeting high standards isn’t just compliance; it’s market positioning.
  • Reduced Risk of Breaches & Liability: With documented practices, proactive monitoring, and strong safeguards, firms are better prepared to prevent or limit the damage of a breach.
  • Better Client Retention: Advisors and Plan Sponsors want TPA (RPC) Firms they can rely on, especially for data protection. Having strong security frameworks helps build long-term relationships.
  • Regulatory Readiness: As federal and state agencies increase oversight of cybersecurity, having these practices in place positions firms to comply and react proactively rather than scrambling.

Real Stats & Trends

  • As notedabove, 52% of sponsors cite cybersecurity/data breach as their biggest worry. 
  • 7-10% of sponsors have already experienced a 401(k)-related data breach in the last year. 
  • Though cost pressures remain, cyber threats have overtaken many traditional concerns (investment performance, participation levels).

Resources for RPCs & Recordkeepers

Here are some helpful tools and references to guide stronger cybersecurity practices:

Resources for TPAs & Recordkeepers
Resource What It Offers
          NAPA-Net, “Cybersecurity Audit Survival Kit”           Practical steps plan sponsors/providers can use to prepare for DOL scrutiny of cybersecurity policies and controls.
          U.S. Department of Labor, Cybersecurity Guidance           Expectations and best practices for plan sponsors, fiduciaries, and recordkeepers handling retirement plan data.
          Vendor Security Questionnaires (Templates)           Standardized questionnaires to evaluate third-party security posture, controls, and certifications.
          Third-Party Certifications (SOC 2, ISO 27001)           Independent attestation frameworks to validate security, availability, confidentiality, and risk management.
          Penetration Testing / Vulnerability Assessments           External testing to identify and prioritize remediation of exploitable weaknesses in systems and processes.
          Employee Security Training Platforms           Phishing simulations, role-based training, and ongoing awareness programs to strengthen human defenses.
          Cyber Liability Insurance Providers           Coverage for incident response, forensics, notification, legal costs, and business interruption after a breach.

A Call to Action

Cybersecurity is no longer optional, it is fundamental to being a trusted partner in the retirement planning ecosystem. At The Asteri Collective, we require all member companies to maintain and continually update their cybersecurity policies, procedures and protocols, not just to meet regulatory expectations, but to lead the industry in client trust, operational resilience, and security standards.

If you’re a plan sponsor, Retirement Plan Consultant, recordkeeper, or financial advisor: ask the hard questions. Request vendor policies. Check for audits and certifications. See whether providers live up to what they promise. The future of retirement plan administration depends on it.