Cybersecurity isn’t just an IT issue, it’s a fiduciary responsibility. Every benefit fund that handles member data, retirement accounts, or health information has an obligation to prove that it’s managing those risks year-round. This guide outlines a practical, month-by-month governance plan designed from inside the fund. Whether you do this yourself or engage a partner like Secure Unions, these steps must happen to protect your members and your trustees.

January
Set the Direction

• Re-affirm the fund’s cyber governance structure:  Who owns oversight, who manages execution?
• Review last year’s incidents and open risks.
• Update or approve this years cybersecurity budget and priorities.
• Refresh the inventory of systems, vendors, and data types
• (PII, PHI, payroll, contributions).

February
Train and Test

• Launch annual staff and trustee cyber awareness training.

• Update the Incident Response Plan and test notification procedures.
• Confirm vendor contact lists and escalation paths are current.

March
Talidate and Insure

• Conduct a tabletop exercise based on a vendor breach or ransomware scenario.

• Review cyber insurance coverage and make sure limits and notification timelines align with real exposure.
• Request current audit reports (SOC 2, ISO 27001, or equivalent) from key vendors.

April
Check Compliance

• Review applicable guidance: DOL, ERISA fiduciary expectations, and state data-protection laws.
• Map internal policies (access, remote work, data retention) to those standards.
• Identify any gaps that require board attention.

May
Tighten Controls

• Verify multi-factor authentication, backups, and patch management are functioning as intended.

• Confirm least-privilege access for fund administrators and vendors.
• Document system-access reviews for audit.

June
Mid-Year Reality Check

• Revisit your risk register — what’s improved, what hasn’t.

• Review progress toward annual goals and budget.
• Present a mid-year update to trustees with plain-English metrics.

July
Simulate and Measure

• Run a phishing simulation and report results at the next board meeting.

• Review insider-threat safeguards, including access logs and change management.
• Schedule at least one deep-dive vendor risk review.

August
Stress the System

• Test business continuity and disaster-recovery plans.

• Confirm vendors can restore operations within expected timeframes.
• Verify off-site backups and data-restore capabilities.

September
Assess and Update

• Conduct or commission a formal cybersecurity assessment or external penetration test.

• Update written policies based on findings.
• Prioritize remediation before year-end.

October
Build Awareness

• Take advantage of Cybersecurity Awareness Month.

• Reinforce training with real-world fund examples.
• Recognize staff who demonstrate strong security habits.

November
Plan Ahead

• Begin drafting next year’s governance plan and cyber budget.

• Review contract renewals and upcoming vendor assessments.
• Update the fund’s risk and compliance dashboard for trustee presentation.

December
Plan Ahead

• Summarize annual metrics: incidents, vendor compliance, training completion, risk trends.

• Deliver a concise “Cyber Governance Report” to trustees and auditors.
• Approve the 2027 plan and carry forward lessons learned.

Final Word

Cybersecurity governance isn’t about adding tasks, it’s about creating rhythm. A fund that touches sensitive member data every single day must be able to prove its vigilance every single month. 

Use this calendar to stay on track. If you need help, reach out to Secure Unions to ensure your members’ sensitive information is locked down safely.