Employee benefit plans represent some of the most attractive targets for cybercriminals, holding trillions of dollars in retirement assets and vast amounts of sensitive participant data. Yet as artificial intelligence tools become embedded in benefits administration, from chatbots answering questions to algorithms processing claims, a new layer of vulnerability has emerged that most plan fiduciaries haven't fully addressed. The U.S. Department of Labor (DOL) has made clear this is no longer optional: cybersecurity is now a fiduciary responsibility, and enforcement is accelerating. Why Are AI-Powered Benefits Systems Creating New Security Risks? When AI tools are integrated into employee benefits administration, they typically require access to massive amounts of sensitive data to function effectively. This concentration of information creates an attractive target for cyberattacks. A breach of an AI system could expose not only current participant information, but also historical data used to train the models themselves. Beyond traditional data theft, AI systems face a unique threat called "adversarial attacks." These are cyberattacks specifically designed to manipulate how AI systems behave. Bad actors could potentially manipulate AI tools to approve fraudulent transactions, provide incorrect benefit information, or bypass security controls entirely. The complexity of modern AI systems makes such attacks difficult to detect, meaning a compromise could go unnoticed for weeks or months. Integration points create additional vulnerabilities. AI tools often connect to multiple databases, communication platforms, and third-party services. Each connection represents a potential entry point for attackers. This interconnected landscape means that a single weak link in the vendor ecosystem could compromise the entire benefits infrastructure. What Is the DOL Actually Requiring From Plan Fiduciaries? The DOL's Employee Benefits Security Administration (EBSA) first issued cybersecurity guidance in April 2021, then updated it in September 2024 to clarify that all employee benefit plans, both retirement and health and welfare plans, must comply. The message is unambiguous: cybersecurity is now an ERISA fiduciary responsibility. Plan fiduciaries cannot simply delegate this responsibility to service providers and walk away. They must actively and continuously oversee cybersecurity risks as part of their duty of prudence. This isn't theoretical enforcement. Cybersecurity topped the EBSA's 2026 enforcement priorities list, and investigators are now incorporating cybersecurity questions into standard plan audit protocols. The DOL is requesting documentation regarding cybersecurity policies, service provider agreements, and incident response procedures. Organizations without clear records of their cybersecurity decisions face significant compliance risk. How to Build a Cybersecurity Program That Satisfies DOL Requirements - Vendor Due Diligence: When selecting service providers, evaluate their cybersecurity practices as part of the prudent selection process. Request and review their written cybersecurity policies, inquire about security certifications and cybersecurity insurance, and ask about incident history. Specifically ask whether AI is being used, for what purposes, what data these AI tools can access, and how that data is stored and protected. Implement ongoing monitoring procedures, including requiring periodic cybersecurity reports or certifications from service providers. - Contractual Protections: Service agreements should include robust cybersecurity provisions with clear allocation of responsibility for data security and breach liability, requirements for the service provider to maintain specified security controls, notification obligations for security incidents, annual cybersecurity reports or certifications, audit rights permitting the plan to verify security compliance, restrictions on subcontracting with requirements for subcontractor oversight, and provisions addressing AI-specific risks including data usage limitations and security testing requirements. - Participant Education: Educated participants serve as an important line of defense against social engineering and account takeover attacks. Communicate cybersecurity best practices to plan participants, encourage strong passwords and multi-factor authentication, and provide clear instructions for reporting suspected fraud or unauthorized account access. - Employee Training: Human error remains a leading cause of data breaches. Ensure that all individuals with access to plan data receive regular cybersecurity training at least annually. Training should cover how to recognize phishing emails and social engineering attempts, proper handling of sensitive information including appropriate and inappropriate use of AI, and procedures for reporting suspected incidents. - Documentation: Document all cybersecurity-related decisions, including records of service provider evaluations, ongoing vendor reviews, training activities, cybersecurity policy reviews and updates, incident response actions, and insurance reviews. In the event of a DOL audit or participant complaint, these records will demonstrate that the fiduciary acted prudently and in accordance with ERISA obligations. The documentation requirement deserves special emphasis. Without clear records proving that cybersecurity decisions were made thoughtfully and reviewed regularly, even genuinely prudent actions may fail to satisfy DOL auditors. The agency is specifically looking for evidence that fiduciaries understood the risks, evaluated their service providers' security practices, and maintained ongoing oversight. The convergence of AI adoption and DOL enforcement creates an urgent window for action. Organizations that proactively address AI-specific cybersecurity risks, document their decisions thoroughly, and implement robust vendor oversight will be well-positioned to satisfy regulators. Those that treat AI integration as purely a business efficiency question, without corresponding security controls, face both regulatory penalties and the very real risk of participant data breaches that could expose millions of individuals' sensitive information.
