HackFirstAid Pension Administrators
Scope of Use

What this site is — and what it is not.

HackFirstAid publishes cybersecurity-readiness guidance for pension plan administrators. Please read the following before relying on anything here.

Security advisory only

HackFirstAid provides security advisory, training, and incident-response readiness. We do not provide fiduciary, legal, actuarial, or investment advice. Nothing on this site, and nothing in an engagement, is a legal opinion or a statement of your fiduciary duty in your jurisdiction. Where we describe what regulator guidance generally expects, that description is for orientation — decisions about your duty belong with your board, your counsel, and your regulator.

Your fiduciary duty stays with you

The administrator's fiduciary, regulatory, and statutory duties remain the administrator's. Reading this site, downloading a checklist, subscribing to the Pension Brief, or engaging the advisory creates no advisory or fiduciary relationship and transfers none of the duty.

No member-data custody

HackFirstAid stores no member or benefit data. All member and benefit data stays on the administrator's and its vendors' systems. We exist to shrink the vendor attack surface, not add to it.

No hands-on incident response

We do not deploy responders or run remediation in your environment. For active incident response and forensics, engage a qualified DFIR firm and breach counsel directly. We will warm-intro a vetted partner where useful.

No vendor scoring

Vendor-oversight reviews we conduct are evidence-based and confidential to the administrator. HackFirstAid does not publish public "scores" or rankings of the recordkeepers, custodians, or other service providers it assesses.

← Back to pensions.hackfirstaid.com