In the world of high-stakes cybersecurity, we often talk about “Zero Trust” and “Encryption at Rest.” But in the daily reality of an HR department or a Plan Sponsor’s office, the most critical data often lives in a file named Plan_Census_FINAL_v2_2026.xlsx.

This is the Spreadsheet Trap. It is the silent killer of ERISA compliance.

The Department of Labor (DOL) has shifted its focus. In their latest examination requests, they are no longer just looking at your official recordkeeping platform. They are now specifically targeting Shadow IT: the systems, spreadsheets, and file-sharing methods used to manage the plan that live outside of official, IT-vetted infrastructure.

The Auditor’s New Target: The “Schedule of Systems”

When the DOL sends an information request, they aren’t just checking your firewall. They are asking for a “Schedule of systems critical to the maintenance and protection of Plan participant data and assets”.

Specifically, auditors are now demanding that you describe:

• Critical Data Mapping: A description of data like payroll records, elections, beneficiary forms, and electronic personnel records.

• The “Spreadsheet” Disclosure: Any spreadsheets used as critical systems (e.g., census data).

• File Sharing & Network Folders: How you use shared folders on a network to manage plan information.

• Email Administration: How email is used to actually administer the plan.

If your answer to these questions is “we just save them to the S: drive and email them to the accountant,” you have just documented a major fiduciary gap.

“Describe any spreadsheets that are used as critical systems (e.g. census data).”

Why Spreadsheets Are a Fiduciary Liability

Spreadsheets are fundamentally an “Anti-SDLC” tool. In my experience securing assets worth over $1 quadrillion, I’ve seen that chaos thrives where there is no process. A formal System Development Life Cycle (SDLC) ensures that security, code review, and architecture analysis are baked into a system. A spreadsheet, by contrast, is often built by one person, on one computer, with zero oversight.

The Total Lack of Access Control

The DOL explicitly asks for information regarding access controls, such as “who has administrator privileges to the email server?”. For a spreadsheet, the “admin” is often whoever has the file open. Most spreadsheets lack the granular access controls required by EBSA best practices, which demand that privileges be limited based on the role of the individual and the “need-to-access” principle.

The Encryption Gap

EBSA best practices require the encryption of sensitive data, both stored and in transit. Most local spreadsheets are unencrypted. If an HR manager’s laptop is stolen or their email is compromised, that census data—containing Social Security numbers, birth dates, and salary info—is wide open. The DOL specifically requests all documents reflecting your processes for the encryption of sensitive data.

Missing Audit Trails

A sound cybersecurity program identifies and assesses risks. Spreadsheets rarely have audit logs. You cannot see who changed a participant’s vesting percentage or who downloaded a copy of the payroll file. This lack of transparency is exactly what DOL examiners are looking for when they ask for “documents reflecting the components” of your program.

Escaping the Trap: A Step-by-Step Hardening Guide

To move from “Chaos” to “Prudence,” you must treat your local data with the same respect as your primary recordkeeping system.

Phase 1: The Shadow IT Audit

You must be able to describe the “critical data” used by the plan.

1. Locate the “Invisible” Data: Identify every spreadsheet and shared folder used for plan administration.

2. Identify Outsourced Flows: Show which systems (and data) are outsourced to service providers, like cloud email or recordkeeping.

3. Document the “In-House” Risk: If you are using internally developed systems or complex macros, you must be able to provide copies of your system development lifecycle controls.

Phase 2: Implementing Fiduciary Guardrails

For every critical file identified, you must implement technical controls in accordance with best practices.

• Access Hardening: Limit access to systems and assets to authorized users only.

• Physical Controls: Describe the physical controls over key systems, such as locked server rooms or encrypted hardware.

• MFA for the Cloud: If your spreadsheets live in a cloud provider, Multi-Factor Authentication (MFA) is non-negotiable.

Phase 3: Securing the “Movement of Money”

The DOL asks for documents reflecting the plan’s processes for the encryption of sensitive data in transit.

• Stop the “Email Habit”: Email is a tool for communication, not a secure database.

• Verify Identity: Implement procedures to confirm the identity of the authorized recipient of funds.

• Match the Data: Ensure that any sensitive information in the service provider’s records matches the information maintained by the plan.

The Strategic Benefit: Methodical Efficiency

Hardening your Shadow IT isn’t just about passing a DOL exam. When you move away from the “Spreadsheet Trap” and toward methodical controls, you reduce the chaos of plan administration.

By applying System Development Life Cycle (SDLC) controls to your internal processes—even the ones that happen in Excel—you ensure that security assurance activities like architecture analysis are an integral part of the effort. This methodical approach makes your operations more efficient, less prone to human error, and significantly more difficult for a cybercriminal to exploit.

“A secure SDLC process ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the system development effort.”

Conclusion: Securing the “Small” Systems

The Department of Labor isn’t just auditing your vendors; they are auditing your oversight. If you cannot describe the “physical controls” over the systems holding your plan data—like locked server rooms—you are failing the “Prudent Person” test.

Don’t let a simple spreadsheet become the reason for a fiduciary breach. Move your critical data out of the shadows and into a documented, encrypted, and methodical framework.