California Public Employees Retirement System (CalPERS), Charles Schwab, and Fidelity Investments are just a few of the 600 organizations worldwide whose pension funds and benefits plan providers had their participants' data security breached by a ransomware group in recent months. And we're only talking about a single breach, that of Progress Software's MOVEit file management and encryption transfer software. What followed the almost 4 million participants' data affected have been class action lawsuits alleging failures to protect the data privacy of its plan participants, including against Johns Hopkins University & Health System, TIAA, TD Ameritrade, and CalPERS.

The U.S. recorded a 75% increase in ransomware events between the first half and second half of the past 12 months (July 2022-June 2023), according to Malwarebytes, Inc. These staggering exposures should act as an exclamation point on plan sponsors' new post-digital transformation job description, which now must include cybersecurity. It's not a job they asked for but given that any person involved in the management of an employee retirement or benefits plan can be held personally liable for a fiduciary breach under ERISA law, they must roll up their sleeves to work at the intersections of plan management and technology.