The first hour decides whether your members' data, your pensioners' next payment, and your board's confidence survive it.
For pension plan administrators and plan-administration corporations. A recordkeeper breach you didn't cause, a redirected benefit payment, ransomware the week of the pension run — in plain language. No jargon, no enterprise security tax, and a clear path through your fiduciary duty, your regulator, your insurer, and the board briefing you'll have to give.
The recordkeeper or vendor breach
Your worst day usually starts on someone else's system — a recordkeeper, custodian, actuary, or death-audit vendor is breached and your members' data goes with it. You didn't cause it, but you own the notification, the credit-monitoring bill, and the board's questions. We built the response runbook — and the vendor-oversight program that contains the blast radius.
Read the vendor-breach playbook →The fiduciary duty you have to document
DOL/EBSA, CAPSA Guideline No. 10, and the UK's TPR now treat cybersecurity as part of an administrator's fiduciary duty — including prudently selecting and monitoring every service provider. We help you meet it and, just as important, prove you met it: the assessment, the policy program, and the board-ready record.
How we make it board-ready →Three things a pension office carries that nobody else does.
An administrator sits on the permanent identity record of a population that skews older, trusting, and acutely dependent on the next deposit — and most of the real attack surface is other people's systems. The defenses are usually a lean back office and a small or outsourced IT function, governed by a board that carries the duty but rarely the cyber fluency. This site is built for that reality.
Your worst day starts on someone else's system
Recordkeepers, custodians, actuaries, auditors, death-audit and data-match vendors, the member-portal provider, the print-and-mail house, the employers feeding contribution files. Your members' data lives across all of them. When one is breached — the MOVEit/PBI pattern that hit over a million CalPERS and CalSTRS members — you didn't get hacked, but you still own the notification and the board's questions.
The money moves on a schedule you can't pause
The benefit run is a retiree's grocery money, and it lands on a date you can't move because a vendor got breached. Fraudsters know it: a "please change my banking" request, a compromised member-portal account, a spoofed instruction on an asset transfer. The recall window is short and the population is vulnerable. The controls that stop it are cheap and boring — and almost nobody has written them down.
Cyber is now the board's fiduciary duty
DOL/EBSA expects fiduciaries to mitigate cyber risk and to prudently select and monitor service providers. CAPSA Guideline No. 10 makes it part of an administrator's risk-management standard of care. The UK's TPR requires cyber internal controls. A breach is no longer just an IT event — it's a documented fiduciary question your board, your auditor, and your regulator will all test. The defensible posture is the written record you build before it happens.
When the breach is a vendor's, but the members are yours.
In 2023 the MOVEit vulnerability was exploited at PBI Research Services — a death-audit vendor pension funds send member data to. Through that one vendor, attackers reached the data of about 769,000 CalPERS retirees and beneficiaries (names, Social Security numbers, dates of birth) and CalSTRS members — over a million people across the two systems. The funds had sent the data encrypted and in good faith. They still owned the notification, the credit-monitoring bill, the class actions, and the board briefing. This is the most likely real incident a pension administrator faces. The playbook covers the response and the prevention.
Confirm, notify, brief, preserve
Confirm what data the vendor held and which members are affected. Invoke the contract's breach and indemnity clauses. Start the regulator and privacy-commissioner notification clocks (DOL/state AG, your provincial regulator and commissioner, or TPR/ICO). Stand up member notification and credit monitoring — retirees need phone and mail, not just email — and brief the board with a clear, plain-language picture.
Prudent selection and monitoring, on the record
The thing the guidance actually requires and the thing that contains the blast radius: SOC 2 reviews on file, a security-questionnaire battery, contract breach/indemnity red-lines, and an annual re-attestation cadence for every recordkeeper, custodian, actuary, TPA, and data vendor. A reusable register so the next vendor review takes hours, not weeks — and so you can show you monitored them.
Prove you selected and monitored prudently
After a vendor breach, the question is whether you exercised prudence. The answer is the documentation: the selection criteria, the SOC 2 you reviewed, the questionnaire you sent, the contract terms you negotiated, the board minutes. We help you build that record before it's needed — it's what protects the fiduciary and what gets the insurance claim paid.
Meet the fiduciary cyber duty — and prove you met it.
Regulators have made cybersecurity part of the fiduciary standard of care: DOL/EBSA Best Practices (now applied to all ERISA plans), CAPSA Guideline No. 10 in Canada, and the UK's TPR General Code. The board carries the duty and increasingly asks the administrator "are we covered?" We turn that into a specific, defensible answer — and a board-ready record.
Where the member data lives, ranked by risk
A CIS Controls v8.1 / NIST CSF 2.0–aligned assessment mapped to DOL/EBSA Best Practices and CAPSA Guideline No. 10: a member-data inventory and data-flow map (internal and across vendors), a benefit-payment control review, a risk register, and a 12-month remediation roadmap. Plus the plain-language board summary that makes the CEO look prepared.
The documented program a board expects
An information-security policy, an incident-response plan, a vendor-management policy, access/MFA/encryption/backup standards, and a benefit-payment fraud-control policy — CAPSA and DOL mapped, with a board adoption memo. The set an auditor's management letter, an insurer's application, and a regulator all ask to see.
One consistent cyber report, every quarter
Trustees don't need the technical detail — they need a consistent, plain-language quarterly cyber risk report they can read, question, and minute. We produce it on the board's risk-committee cycle so cyber oversight is documented and the CEO stops building the report from scratch. Shared backbone with boards.hackfirstaid.com.
Written for the week the pension run is due and a vendor just called.
Each playbook is a plain-language walkthrough with a one-page action card on top — the security response and the administrator's continuity decisions running side by side. Phase 1 ships the four below; the full library of twelve follows. Each lives at its own indexable URL with FAQ schema.
Third-party / recordkeeper breach
The signature pension scenario and the most likely real incident. A vendor in the administration chain — recordkeeper, custodian, actuary, death-audit, file transfer — is breached and your member data goes with it. The first-72-hours path (confirm scope, invoke the contract, start the regulator clocks, notify members, brief the board, preserve the fiduciary record) plus the vendor-oversight program that contains the next one.
Benefit-payment / direct-deposit redirection fraud
A fraudster — or a compromised member-portal account — submits a 'change my banking' request and the next pension payment lands in the attacker's account. The member-services decision tree (out-of-band verification before any banking change, the rush-payment red flags), the recall path once a fraudulent EFT has gone out, and the controls that stop it: dual approval, callback verification, change-of-banking confirmation.
Ransomware mid-benefit-run
The pension administration system, benefit-calculation engine, or member database is encrypted while the monthly run is due. The hard truth up front: a retiree's pension can't simply wait. The continuity decision tree (run from last-known-good data? manual interim payments? sponsor or custodian fallback?) runs in parallel with the security response — alongside member and board communication.
Member self-service portal account takeover
Stolen member credentials on the self-service / 'My Retirement Plan'-type portal — often a third-party platform. The attacker views member data, changes contact or banking details, or harvests the population. The member-services triage tree, the MFA and step-up-verification posture, and the mass-enumeration warning sign that means it's not one member, it's a campaign.
A vendor just reported a breach? Start here — free.
The free triage walkthrough is always available and always free. If a recordkeeper has just called, or a benefit payment looks redirected, it tells you the exact first steps and calls to make, in order, while the clocks are running. No login, no sales call. If you'd rather have a person on the phone, that's what the advisory is for. Open free triage →
Four ways to work with us. All productized, all priced before you start.
Not consulting hours that meter while you watch. Each engagement is a defined package with a defined deliverable and a defined fee — because a CEO answers to a board that needs to predict the expense and the timeline, and to an auditor who wants documented controls.
Fiduciary risk assessment & vendor oversight
The Fiduciary Cyber Risk Assessment, the service-provider / vendor cyber-oversight program, the board-ready policy & governance pack, cyber & fiduciary-liability insurance application support, and benefit-payment fraud-control setup. The work that makes the administrator demonstrably secure — to a board, an auditor, a regulator, or an insurer.
Assessment report, risk register, remediation roadmap, vendor-risk register, policy suite, board summary.
Awareness for staff — and trustees
Monthly micro-lessons and phishing simulations tuned to the lures a pension office actually sees — benefit-redirection requests, fake recordkeeper breach alerts, fake board-portal logins, spoofed regulator notices — plus a focused module for everyone who touches banking changes. And a trustee cyber-literacy track so the board can meet its oversight duty and ask the right questions.
Per-seat licenses, completion reporting, member-services module, trustee track (shared with boards.*).
IR & breach readiness
A retainer because the value is the availability — the worst incidents land the week of the benefit run and reward a pre-built plan and a known phone number, not a scramble. Named on-call lead, response SLAs, the benefit-run continuity runbook, the vendor-breach response runbook, quarterly drills, an annual tabletop, and guidance through DOL/CAPSA/TPR notification and the fiduciary/cyber claim.
IR retainer, tabletop exercise, Breach Readiness Pack with pre-staged member & regulator notification templates.
Managed security / vCISO
Ongoing security oversight and a credible answer to 'who owns cyber here?' without an in-house CISO hire. Quarterly reviews aligned to the board's risk-committee cycle, the policy suite kept current, the vendor-oversight program run, insurer-renewal support, and the board cyber report produced each quarter. A direct line for the month-to-month 'should we…?' decisions.
Monthly retainer, quarterly or monthly reviews, per-vendor risk reviews, board cyber-reporting service.
Personal coverage for your staff — and your retirees.
Administrator staff go home as individual targets, and retirees are an elevated, older, target-rich identity-theft population. Personal-tier HackFirstAid is bundled into every paid administrator subscription at no extra cost for every staff member's household — and there's a member-facing "protect your pension" resource you can hand to retirees. Same model boards, leadership, and medical subscribers have had since day one.
Pick the work, get a fixed quote, know the timeline.
Start with the free triage if something is on fire. Otherwise, tell us which of the four — risk & readiness, training, incident response, vCISO — fits where the administrator is, and we scope a fixed-fee engagement before you commit a dollar. Many administrators start with the vendor-oversight assessment (the fiduciary wedge) or a vCISO retainer, and add the board program. Every quote names the deliverable, the fee, and the timeline up front, in a form the board can approve.
What we don't do
- Fiduciary, legal, actuarial, or investment advice. HackFirstAid provides security advisory, training, and incident-response readiness. We help you document prudent process; we do not assume your fiduciary duty, and nothing here is legal, actuarial, or investment advice.
- Hands-on forensics or remediation. We don't deploy responders or run remediation in your environment. Advisory is decision support and runbook coaching; for execution we warm-intro a vetted DFIR partner.
- Holding your member or benefit data. All member and benefit data stays on the administrator's and its vendors' systems. We are advisory only — never member-data custody. We exist to shrink the vendor attack surface, not add to it.
- Vendor scoring or rankings. Our vendor-oversight reviews are evidence-based and confidential to you. We don't publish public "scores" of the recordkeepers and custodians we assess.
- Cyber-insurance brokerage. We help you read your policy and assemble the application, but the policy is sold by your broker.
- Tooling or licenses. We don't sell EDR, recordkeeping, or backup software. We help you use what you have well.
Two one-pagers worth taking to the next board meeting.
Pension Vendor-Breach Readiness Checklist
One page: the vendor inventory, the SOC 2 on file, the contract breach and indemnity clauses, the notification templates pre-staged, and the board-briefing path. Built for the morning a recordkeeper calls. Print it, brief the team, and put it where the incident plan lives.
5-Minute Plan-Administrator Cyber Self-Check
Ten questions: MFA on the member portal and admin systems? Benefit-banking changes on dual approval with a callback? Member database encrypted? Recordkeeper and custodian SOC 2 reviewed this year? IR contact named? Backups tested? Cyber/fiduciary-liability current, including funds-transfer coverage? Death-match data feed secured? Has the board reviewed cyber this year? Notification templates ready?
Travis runs every administrator engagement personally.
No SDR, no sales engineer. You email Travis. Travis answers. If HackFirstAid isn't the right fit for your plan — or if your problem is one a hands-on DFIR firm or breach counsel should run, not a readiness advisory — Travis will tell you that and point you to whoever is.
One cyber-readiness stack. Eleven audiences.
A pension administrator is targeted through every vendor it shares member data with, at the benefit run, and in the inbox. The HackFirstAid family covers personal, SMB, medical, municipal, K-12, governance, executive, practitioner, law-firm, pension, and family-office layers — and paid administrator subscribers get personal-tier access for every staff member's household at no extra cost.