What this site is — and what it is not.
HackFirstAid publishes cybersecurity-readiness guidance for pension plan administrators. Please read the following before relying on anything here.
Security advisory only
HackFirstAid provides security advisory, training, and incident-response readiness. We do not provide fiduciary, legal, actuarial, or investment advice. Nothing on this site, and nothing in an engagement, is a legal opinion or a statement of your fiduciary duty in your jurisdiction. Where we describe what regulator guidance generally expects, that description is for orientation — decisions about your duty belong with your board, your counsel, and your regulator.
Your fiduciary duty stays with you
The administrator's fiduciary, regulatory, and statutory duties remain the administrator's. Reading this site, downloading a checklist, subscribing to the Pension Brief, or engaging the advisory creates no advisory or fiduciary relationship and transfers none of the duty.
No member-data custody
HackFirstAid stores no member or benefit data. All member and benefit data stays on the administrator's and its vendors' systems. We exist to shrink the vendor attack surface, not add to it.
No hands-on incident response
We do not deploy responders or run remediation in your environment. For active incident response and forensics, engage a qualified DFIR firm and breach counsel directly. We will warm-intro a vetted partner where useful.
No vendor scoring
Vendor-oversight reviews we conduct are evidence-based and confidential to the administrator. HackFirstAid does not publish public "scores" or rankings of the recordkeepers, custodians, or other service providers it assesses.