How to Answer a Plan Sponsor Cybersecurity Questionnaire

This Is Happening to TPAs Right Now

Your largest plan sponsor sends an email with a 15-page cybersecurity questionnaire attached. They need it back in 30 days. The questions are specific, technical, and unforgiving: Do you have a formal cybersecurity program? Can you provide a SOC 2 Type II report? What is your incident response plan? How do you handle encryption? When was your last penetration test?

If your stomach drops when you read those questions, you're not alone. But you need to understand why this is happening and what it means for your business.

Why Plan Sponsors Are Asking

Plan sponsors have a fiduciary duty under ERISA to evaluate the cybersecurity practices of every service provider that touches participant data. The DOL made this explicit in their "Tips for Hiring a Service Provider" guidance, and the January 2026 elevation of cybersecurity to a National Enforcement Project has made plan sponsors acutely aware of their exposure.

These questionnaires aren't a one-time compliance exercise. They're becoming annual, and they're getting more detailed every year. Plan sponsors who don't conduct cybersecurity due diligence on their TPAs are themselves at risk of DOL enforcement action.

The Questions They're Asking

While every questionnaire is different, the core questions map directly to DOL's 12 cybersecurity best practices. Plan sponsors typically want to know whether you maintain a written cybersecurity policy, whether you conduct annual risk assessments, whether you can provide SOC 2 or equivalent third-party audit results, who is responsible for cybersecurity at your firm, how you control access to participant data, how you vet your own vendors' security, whether you conduct employee security awareness training, how you handle system changes and updates, what your disaster recovery and business continuity plans look like, how you encrypt data at rest and in transit, what technical security controls you have in place, and what your incident response procedures are if a breach occurs.

The Wrong Way to Respond

The worst thing you can do is scramble to assemble answers from scratch. Pulling documentation together under pressure leads to vague responses, missing evidence, and inconsistencies that erode plan sponsor confidence. If your answers read like they were written the week the questionnaire arrived, plan sponsors will notice.

The Right Way to Respond

TPAs that answer cybersecurity questionnaires confidently share one trait: they maintain audit-ready documentation continuously, not reactively. Their cybersecurity policy is current. Their risk assessment was completed within the last 12 months. Their SOC report is on file. Their incident response plan has been tested. When the questionnaire arrives, they pull pre-existing documentation off the shelf rather than creating it under deadline pressure.

This isn't just about compliance. It's a competitive advantage. TPAs that can respond to cybersecurity questionnaires quickly, thoroughly, and with supporting documentation don't just retain existing clients — they win new ones. In a market where plan sponsors are actively evaluating whether their current TPA can meet DOL expectations, your cybersecurity posture becomes a differentiator.

How TPAIT Helps

TPAIT maintains your cybersecurity documentation as part of our ongoing service — not as a scramble when a questionnaire arrives. Your security policies, risk assessments, access control documentation, incident response plans, and compliance evidence are organized and current at all times. When a plan sponsor sends a questionnaire, you respond with confidence instead of panic.

For a detailed breakdown of what DOL expects, see our DOL Cybersecurity Compliance Guide.