News Archive

"[M]ore than half of plan sponsors rank cybersecurity as their number one plan concern, surpassing worries about poor investment performance (45 percent) and insufficient participant savings (43 percent). That concern is well founded."  MORE >>

"[T]he Department plans to continue to devote many more resources to health and welfare plan enforcement. In particular, DOL highlights two projects for 2026: [1] barriers to mental health and substance use disorder benefits (MH/SUD), and [2] surprise billing.... DOL continues to pursue a variety of projects to protect the benefits of retirement plan participants.... [T]he Department for the first time included cybersecurity on the national enforcement project list."  MORE >>

"Health plan sponsors can expect increased examination activity, particularly in mental health and surprise billing.... Cybersecurity has officially graduated from buzzword to enforcement priority -- and this priority applies to retirement plans.... Service-provider-level reviews of 3(21) and 3(38) fiduciaries.... Investment selection in 404(c) plans.... Underfunded defined benefit plans.... ESOPs and missing participants deprioritized."  MORE >>

"EBSA intends to prioritize investigations in the following health plan areas: [1] Cybersecurity and data protection ... [2] Mental health and substance use disorder parity ... [3] Surprise billing compliance ... [4] Protections of employee contributions ... EBSA reaffirmed its ongoing efforts to identify abusive or fraudulent Multiple Employer Welfare Arrangements (MEWAs)."  MORE >>

"EBSA stated that its investigations will continue to evaluate how plans and service providers protect against cybersecurity threats.... [T]he Mental Health Parity and Addiction Equity Act and its 2013 regulations, as well as the Consolidated Appropriations Act, 2021, remain ... an enforcement priority.... EBSA will be focusing enforcement efforts on the implementation of the No Surprises Act ... EBSA will be reviewing pension plan practices to notify participants who are approaching normal retirement age and required minimum distribution age[.]"  MORE >>

"[OCR's] January 2026 Cybersecurity Newsletter ... reinforces OCR's continued expectation that HIPAA covered entities and business associates proactively reduce cybersecurity risks to electronic protected health information (ePHI) through ongoing technical and operational safeguards.... Privacy and security officers should also consider these recommendations as a baseline for risk management responsibilities and consider integrating the safeguards into internal auditing programs."  MORE >>

"[T]he most important thing for plan sponsors and recordkeepers to communicate is that digital scams exist across an 'evolving landscape.' Not only are there commonplace clickbait phishing emails, but also artificial intelligence-powered deepfake scams sophisticated enough to make even the most tech-savvy of participants fall prey."  MORE >>

"[T]he New York State Department of Financial Services (NYDFS) issued an industry letter ... which clarifies covered entities' responsibilities when engaging third‑party service providers (TPSPs) that access information systems or nonpublic information (NPI). Although the guidance does not add new rules to the NYDFS Cybersecurity Regulations, it clarifies regulatory requirements with respect to TPSPs, provides suggestions for best practices, and may signal increased regulatory focus on third-party risk management."  MORE >>

"[M]ore than half of plan sponsors rank cybersecurity as their No. 1 'plan fear,' ahead of poor investment performance (45%) and insufficient participant savings (43%).... High profile breaches, such as the recent attack on a leading recordkeeper affecting more than 1,000 participants and traced to a third-party client management cloud application, demonstrate how a single weak point can compromise participant data and disrupt operations."  MORE >>

"A professional uniquely positioned to discuss cybersecurity in the context of retirement plans offers her insights on the nuances and hard realities of protecting assets, balances, sensitive information and more from unauthorized access.... She observed that 73% of the organizations that experience a breach of security experience a second one. And this, she said, 'is because they didn't identify the cause and didn't fix it.' "  MORE >>

"ERISA’s Section 404 talks about acting prudently and solely in the interest of participants. That used to mean watching fees, monitoring investments, and keeping minutes. But in 2025, prudence means locking down your participant data like it’s Fort Knox. Every Social Security number, every date of birth, every account balance—those are plan assets in digital form."  MORE >>

"Recent guidance from both the [DOL] and the New York State Department of Financial Services (DFS) underscores the importance of due diligence and ongoing oversight of ... third-party administrators (TPAs), carriers, and technology platforms ... Outsourcing the administration does not absolve you of your fiduciary duty.... Here's a checklist to guide your due diligence related to cybersecurity."  MORE >>

"[1] Cybersecurity is a fiduciary issue.... [2] Vet and tighten your vendor contracts now.... [3] Look for documentation, not just policies ... [4] Train your people, and document that training.... [5] Check your insurance, and insist on cyber coverage.... [6] Bring cybersecurity into your plan oversight meetings.... Cybersecurity isn't just an IT problem, it's an ERISA oversight issue. "  MORE >>

"62% of retirement plan website and app users say security is more important than convenience regarding their overall digital experience. Moreover, account security is now one of the biggest drivers of overall customer satisfaction with retirement account digital tools, alongside core usability and design features such as visual appeal, navigation and speed."  MORE >>

"Cyber-attacks on Section 401(k) plans and their participant accounts are not only increasing in number but, with the use of AI, they are increasing in sophistication. Plan fiduciaries ... need to take steps to protect plan assets from these risks by implementing appropriate cybersecurity measures. All employees (not just HR staff) need to be aware of cybersecurity risks because those risks cannot be managed solely by IT security protocols such as secure messaging and multi-factor authentication."  MORE >>

"In its ongoing efforts to bolster cybersecurity in ERISA-covered plans, the [DOL] has issued multiple layers of guidance, one of which is a set of Online Security Tips.... These tips aren't directed at plan sponsors or fiduciaries, but the DOL, including them in the broader cybersecurity release, implies a clear expectation: you should inform your participants."  MORE >>

"Over the past decade, the electronic health record (EHR) market has become increasingly consolidated, with the majority of care delivery organizations now using one of two vendors ... This consolidation creates a 'single-point-of-failure' tail risk for cybersecurity ... Given that reversing consolidation is unlikely due to high EHR switching costs, it is critical that policymakers establish safeguards that ensure robust protections for patients' sensitive data.... Sustained investment in regulatory oversight and continued partnerships between policymakers, care delivery organizations, and EHR vendors are essential to contain the catastrophic risk involved from this ongoing market consolidation."  MORE >>

"Personal data belonging to most of Allianz Life Insurance Co. of North America's 1.4 million U.S. customers was exposed on July 16 ... The breach was discovered one day after a 'malicious threat actor' hacked into a third-party customer relationship management system used by the insurer ... An attorney for Allianz submitted a disclosure of the breach to the office of the Maine attorney general."  MORE >>

"The DOL outlines 12 best practices that reflect key areas of responsibility for ERISA plan sponsors and service providers ... Taking steps now puts plan sponsors in a stronger position for when the guidance eventually shifts from recommendation to requirement."  MORE >>

"As a plan sponsor, taking steps to secure your plan data isn't optional, it's part of your legal duty to act in your participants' best interests.... [1] Review your vendor contracts for cybersecurity language. [2] Request and review audit reports from your service providers. [3] Implement basic security practices for your internal team. [4] Educate your participants about protecting their accounts. [5] Document your efforts as part of fiduciary oversight."  MORE >>

"[1] Establish a formal cybersecurity program ... [2] Conduct annual risk assessments ... [3] Require independent third-party audits ... [4] Define security roles and implement strong access controls ... [5] Ensure secure management of cloud services and vendors ... [6] Implement secure development practices and business resiliency programs ... [7] Encrypt sensitive data and maintain strong technical controls ... [8] Prepare for and respond to cybersecurity incidents."  MORE >>

"Begin by asking providers about their cybersecurity policies and practices. Their protocols should align with standards like NIST or ISO/IEC 27001.... Explore the provider's history of handling security incidents. Transparency is key -- ask how they've responded to breaches in the past, and check for any related legal or regulatory issues.... Strong contracts reinforce good cybersecurity."  MORE >>

"[1] Review daily, weekly, or monthly reports from the vendor's cybersecurity monitoring tools ... [2] Audit the vendor site and perform your own cybersecurity review and/or assessment. [3] Ask the vendor to provide annual copies of approved and objective third-party cybersecurity assessments. [4] Contract with your own cybersecurity experts to do penetration testing against your vendor (with your vendor's knowledge that the tests are occurring, of course)."  MORE >>

"Ransomware attacks on healthcare organizations surged in 2024, with nearly 400 US providers reporting incidents.... [H]ealthcare breaches now average $9.77 million -- the highest across all industries for the 14th year. [HHS] also noted a sharp rise in ransomware cases, driven by outdated systems, misconfigured devices, and cloud vulnerabilities.... This article outlines key strategies for healthcare organizations to prevent, respond to, and recover from ransomware incidents -- while minimizing legal exposure and reputational harm."  MORE >>

"This paper seeks to help plan sponsors understand today's rapidly changing data risk environment. [The authors] discuss how participant accounts are vulnerable to data breaches, highlight updated regulatory guidance, and offer action steps for plan committee consideration, in partnership with the plan's overall organization, consultant/advisor and counsel as needed.' [Also available: 'Take Action" Checklist]  MORE >>