By Ari Sonneberg and Barry Salkin
In its January 2026 statement of enforcement policy, the Department of Labor (“DOL”) indicated that cybersecurity and data protection were its highest priority. Under current law, a participant or a beneficiary in a tax-favored defined contribution retirement plan (e.g., 401(k), profit sharing, money purchase, employee stock ownership plan, 403(b), etc.) whose account balance is taken by cyber theft, may be able to recover such losses[1] from a plan fiduciary[2] only when the theft is attributable to a cybersecurity breach that results from a breach of ERISA fiduciary duty of prudence by the fiduciary. The possibility of recovery also exists under The Mandatory Victims Restitution Act, which provides for the compensation of victims who suffer financial loss as the result of a federal crime, but recovery under that law requires a conviction of the culprit, which seldom occurs in the case of cybercrimes, and the recoverable amount may not exceed the greater of $250,000 or twice the amount stolen. If a loss was the result of negligence by a non-fiduciary, an action for negligence under state law may also be available, although there are unresolved ERISA preemption issues in this situation. From a federal income tax perspective, an affected participant may be able to claim a theft loss deduction if his or account was hacked or an unauthorized individual gained access to participant information and withdrew assets from the participant’s account, but such deduction is of limited value because the theft loss cannot exceed a taxpayer’s basis in the account.[3]
Unfortunately, the above forms of recovery may be of limited utility to the affected plan participant or beneficiary. The perpetrator of the cyber theft may not be discovered, and the affected participant may also bear no personal responsibility[4] for the cybersecurity breach. In addition, especially due to the dynamic nature of cybersecurity resulting from ever-changing technological advances, the cybersecurity breach may not have resulted from a breach of ERISA fiduciary duty[5] and the bar for establishing a state-based claim for negligence, even if such remedies were available, may be too high for a participant to overcome. Simply put, there may be no one available to blame and to hold responsible for cybertheft from a defined contribution retirement plan account. Even if there is a plan fiduciary against whom responsibility for the loss may be assessed, the fiduciary may not be liable for losses under ERISA Section 409. The means by which the cybersecurity threat was implemented may be such that the protective standards implemented by a hypothetical responsible fiduciary would not have prevented the loss even if they had been fully and properly deployed. In the absence of a causal connection between the plan fiduciary’s deficiency in protecting a participant’s account balance, there can be no liability for a breach of fiduciary duty under ERISA Section 409. In these circumstances, it seems appropriate to consider the establishment of a federal agency that would compensate victims of cybersecurity theft when the loss occurs in the absence of legal responsibility for the loss by a plan fiduciary or a non-fiduciary third-party service provider[6].
Proposal for the Establishment of the Defined Contribution Cybersecurity Insurance Corporation (DCCIC)[7]
Executive Summary
This proposal recommends the creation of a Defined Contribution Cybersecurity Insurance Corporation (DCCIC), a federal agency designed to insure private-sector defined contribution (DC) retirement plan assets against losses resulting from cybercrimes. The DCCIC would fill a critical gap in participant protection from cyber-related losses where ERISA does not provide a cause of action for breach of fiduciary duty and other avenues of recovery are unavailable, thereby enhancing retirement security in the digital age.
The Gap
The PBGC insures defined benefit plans but does not cover DC plans, except for optional coverage by terminated defined contribution plans to deal with lost or unresponsive plan participants. While the DOL has issued guidance on cybersecurity best practices, there is no federal mechanism to compensate participants and beneficiaries for cyber-related losses when fiduciaries or non-fiduciary third parties are not legally liable.
Mission and Objectives of the DCCIC
Mission:
To protect the retirement savings of participants and beneficiaries in defined contribution plans[8] from losses due to cybercrimes, both federal and state, by providing insurance coverage and promoting best practices in cybersecurity risk management.
Objectives:
- Insurance Coverage: Provide financial compensation to affected participants when cybercrime results in unrecoverable losses.
- Risk Assessment and Monitoring: Evaluate cybersecurity practices of plan sponsors, recordkeepers, and other DC plan service providers.
- Premium Collection: Collect insurance premiums from covered entities based on risk profiles and plan asset levels.
- Education and Standards: Promote cybersecurity awareness and, in conjunction with the DOL, establish minimum standards for plan fiduciaries.
- Incident Response Support: Assist in forensic investigations of cybersecurity breaches and in recovery efforts following cybersecurity breaches.
Organizational Structure
- Governance: Independent federal agency overseen by a board appointed by the President, including representatives of the DOL and the Treasury Department, as well as cybersecurity experts and retirement industry stakeholders.
- Funding: Self-funded through premiums paid by participating plan sponsors and service providers.
- Operations Divisions:
- Claims and Compensation
- Cybersecurity Risk Assessment
- Policy and Standards
- Education and Outreach
- Legal and Compliance
Eligible Plans
- ERISA-covered defined contribution plans (e.g., 401(k), 403(b))
- Plans must register with DCCIC and meet minimum cybersecurity standards
Covered Events
- Unauthorized account access resulting in financial loss
- Fraudulent distributions
- Data breaches leading to theft of retirement assets
- Cyberattacks on plan infrastructure
Exclusions or Reduced Coverage
- Losses due to participant negligence (e.g., sharing passwords)
- Losses where fiduciary breach is established and the breach caused the loss (covered under ERISA litigation)
- Losses recoverable under the Mandatory Victims Restitution Act
- Losses recoverable in a state-based negligence claim, to the extent not preempted by ERISA
Premium Structure
- Risk-Based Premiums: Based on plan size, number of participants, cybersecurity maturity, and historical incident data
- Tiered Model: Incentivizes adoption of best practices through lower premiums
Claims Process
- Incident Reporting: Plan sponsor or participant reports cyber incident
- Investigation: DCCIC conducts forensic review and determines eligibility in coordination with state forensic review
- Compensation: Approved claims result in direct reimbursement to affected participants
- Recovery Efforts: DCCIC may pursue subrogation against perpetrators, negligent third parties, and participants that make a subsequent recovery by other means.
Legal and Regulatory Considerations
- Legislation Required: Congressional authorization to establish DCCIC and define its powers
- Coordination with DOL and Treasury: Ensure alignment with existing ERISA enforcement and retirement policy
- Data Privacy Compliance: Adhere to federal and state data protection law
- Preemption of, or coordination with, state laws
Benefits and Impact
- Enhanced Retirement Security: Protects millions of workers from cyber-related financial loss
- Improved Cyber Precautions: Incentivizes better cybersecurity practices across the retirement industry
Next Steps
- Stakeholder Engagement: Convene industry, labor, and government representatives, and cyber security threat experts
- Legislative Drafting: Develop enabling legislation for Congressional consideration
- Pilot Program: Launch voluntary pilot program with select plans to test framework
- Full Implementation: Roll out national program following legislative approval
[1] Losses resulting from cybersecurity theft are not restricted to loss of all or a portion of a participant’s or beneficiary’s account balance: the theft of plan data containing personally identifiable information can result in losses outside the tax-favored defined contribution plan. However, redressing such losses, which include issues not present in the theft of plan assets, such as whether participant data constitutes plan assets under ERISA and Article III constitutional standing, is outside the scope of this article.
[2] There is likely to be a dispute whether a third-party administrator, or possibly a custodian of plan assets, is acting in a fiduciary capacity in connection with the events constituting the cyber theft.
[3] CCA 202511015. Cf. June 3, 2026, petition to Tax Court challenging IRS denial of theft loss deduction for a taxpayer who liquidated her IRA account of $800,000. Caputo v. Commissioner.
[4] Even if a plan participant bears responsibility for a cybertheft, unless such plan participant is a plan fiduciary with respect to the actions that caused harm to other plan participants, the adversely affected plan participants may have no cause of action against him or her, because it may be unclear under state law whether participants in a tax-qualified plan owe any duty to each other.
[5] ERISA’s duty of prudence is based on the circumstances then prevailing, and the relevant circumstances change rapidly with respect to cybersecurity developments.
[6] Even if a party bears legal responsibility and should not be released from liability or financial responsibility by a third party federal agency determination, if the negligent or imprudent conduct results in loss to multiple plan participants and beneficiaries, there may still be a need for a federal agency to cover the shortfall.
[7] The ERISA cyber threat issue may be analogous to the California wildfire issue, which caused insurers to lose money in fire insurance claims and in some instances to leave the state. States such as California for fire and Florida for hurricanes have state last resort arrangements but those arrangements have limitations, such as dollar caps on recovery. Therefore, there has been consideration, at least to a limited extent of having a federal back up program. These types of events are scaled down versions of the events that insurers seek to address through major event exclusions.
[8] Consideration could be given to extending eligibility to governmental plans and church plans.


