News Archive

"64% of attendees responded that participants' behavior was the greatest source of cybersecurity risk for their company, with lower values for internal processes and vendor relationships. However, only 21% of attendees said that cybersecurity responsibilities are clearly defined at their firm and only 10% said that they had a documented cyber response policy that is tested annually (45% said they were unsure if they even had one)."  MORE >>

"Health Savings Accounts (HSAs) are an attractive target for fraudsters, and HSA providers must use automated methods to stop them before funds are lost....Best practices include: [1] Retiring micro-deposit verification through bank accounts. [2] Integrating instant bank account verification inside the member app. [3] Enabling real-time verification outcomes."  MORE >>

"The [DOL] has made it clear that cybersecurity is part of prudent plan administration. Protecting plan assets includes safeguarding the systems and processes that hold them. In other words, this isn't just an IT issue. It's not just the recordkeeper's responsibility. It's a fiduciary governance issue."  MORE >>

"More than 400 million health insurance identities have been breached or compromised since 2021 alone. Yet no breached entity, employer, third-party administrator (TPA) or health insurance carrier has offered any protection against identity theft and fraud against health insurance benefits. This is potentially a large, yet unaddressed risk to plan sponsors and their servicers that benefit brokers and advisers need to help their employer clients guard against."  MORE >>

"AI tools are increasingly used in benefits administration.... While these tools can improve efficiency, they also introduce new cybersecurity risks that fiduciaries must evaluate.... Based on the DOL's guidance and emerging best practices, fiduciaries should consider implementing the following measures: [1] Vendor due diligence.... [2] Contractual protections.... [3] Participant education.... [4] Employee education.... [5] Documentation."  MORE >>

"[M]any retirement plan recordkeepers are offering and promoting online security guarantees or fraud reimbursement programs to address unauthorized or fraudulent transactions, promising to make participants whole and reimburse them for losses that are at no fault of the participant.... Far from being simple supplemental consumer benefits, the security guarantees or fraud reimbursement programs that are marketed as protecting participants must be evaluated through the lens of ERISA's fiduciary standards."  MORE >>

"These projects reflect priorities that guide DOL's enforcement activities, which are conducted by investigators in the agency's regional and district offices. This article provides an overview of areas of focus for retirement plans, which include cybersecurity, retirement asset management, and protection of benefit distributions."  MORE >>

"The Senate's health committee late last month advanced legislation to fortify health care cybersecurity ... [The Health Care Cybersecurity and Resilience Act (S 3315)] would improve coordination among government agencies and requires the [HHS] to develop an incident response plan. It also would establish new grants to health entities for cyberattack planning and response and make them use multi-factor authentication and encryption -- a key shortcoming exposed by the Change breach."  MORE >>

"[M]ore than half of plan sponsors rank cybersecurity as their number one plan concern, surpassing worries about poor investment performance (45 percent) and insufficient participant savings (43 percent). That concern is well founded."  MORE >>

"[T]he Department plans to continue to devote many more resources to health and welfare plan enforcement. In particular, DOL highlights two projects for 2026: [1] barriers to mental health and substance use disorder benefits (MH/SUD), and [2] surprise billing.... DOL continues to pursue a variety of projects to protect the benefits of retirement plan participants.... [T]he Department for the first time included cybersecurity on the national enforcement project list."  MORE >>

"Health plan sponsors can expect increased examination activity, particularly in mental health and surprise billing.... Cybersecurity has officially graduated from buzzword to enforcement priority -- and this priority applies to retirement plans.... Service-provider-level reviews of 3(21) and 3(38) fiduciaries.... Investment selection in 404(c) plans.... Underfunded defined benefit plans.... ESOPs and missing participants deprioritized."  MORE >>

"EBSA intends to prioritize investigations in the following health plan areas: [1] Cybersecurity and data protection ... [2] Mental health and substance use disorder parity ... [3] Surprise billing compliance ... [4] Protections of employee contributions ... EBSA reaffirmed its ongoing efforts to identify abusive or fraudulent Multiple Employer Welfare Arrangements (MEWAs)."  MORE >>

"EBSA stated that its investigations will continue to evaluate how plans and service providers protect against cybersecurity threats.... [T]he Mental Health Parity and Addiction Equity Act and its 2013 regulations, as well as the Consolidated Appropriations Act, 2021, remain ... an enforcement priority.... EBSA will be focusing enforcement efforts on the implementation of the No Surprises Act ... EBSA will be reviewing pension plan practices to notify participants who are approaching normal retirement age and required minimum distribution age[.]"  MORE >>

"[OCR's] January 2026 Cybersecurity Newsletter ... reinforces OCR's continued expectation that HIPAA covered entities and business associates proactively reduce cybersecurity risks to electronic protected health information (ePHI) through ongoing technical and operational safeguards.... Privacy and security officers should also consider these recommendations as a baseline for risk management responsibilities and consider integrating the safeguards into internal auditing programs."  MORE >>

"[T]he most important thing for plan sponsors and recordkeepers to communicate is that digital scams exist across an 'evolving landscape.' Not only are there commonplace clickbait phishing emails, but also artificial intelligence-powered deepfake scams sophisticated enough to make even the most tech-savvy of participants fall prey."  MORE >>

"[T]he New York State Department of Financial Services (NYDFS) issued an industry letter ... which clarifies covered entities' responsibilities when engaging third‑party service providers (TPSPs) that access information systems or nonpublic information (NPI). Although the guidance does not add new rules to the NYDFS Cybersecurity Regulations, it clarifies regulatory requirements with respect to TPSPs, provides suggestions for best practices, and may signal increased regulatory focus on third-party risk management."  MORE >>

"[M]ore than half of plan sponsors rank cybersecurity as their No. 1 'plan fear,' ahead of poor investment performance (45%) and insufficient participant savings (43%).... High profile breaches, such as the recent attack on a leading recordkeeper affecting more than 1,000 participants and traced to a third-party client management cloud application, demonstrate how a single weak point can compromise participant data and disrupt operations."  MORE >>

"A professional uniquely positioned to discuss cybersecurity in the context of retirement plans offers her insights on the nuances and hard realities of protecting assets, balances, sensitive information and more from unauthorized access.... She observed that 73% of the organizations that experience a breach of security experience a second one. And this, she said, 'is because they didn't identify the cause and didn't fix it.' "  MORE >>

"ERISA’s Section 404 talks about acting prudently and solely in the interest of participants. That used to mean watching fees, monitoring investments, and keeping minutes. But in 2025, prudence means locking down your participant data like it’s Fort Knox. Every Social Security number, every date of birth, every account balance—those are plan assets in digital form."  MORE >>

"Recent guidance from both the [DOL] and the New York State Department of Financial Services (DFS) underscores the importance of due diligence and ongoing oversight of ... third-party administrators (TPAs), carriers, and technology platforms ... Outsourcing the administration does not absolve you of your fiduciary duty.... Here's a checklist to guide your due diligence related to cybersecurity."  MORE >>

"[1] Cybersecurity is a fiduciary issue.... [2] Vet and tighten your vendor contracts now.... [3] Look for documentation, not just policies ... [4] Train your people, and document that training.... [5] Check your insurance, and insist on cyber coverage.... [6] Bring cybersecurity into your plan oversight meetings.... Cybersecurity isn't just an IT problem, it's an ERISA oversight issue. "  MORE >>

"62% of retirement plan website and app users say security is more important than convenience regarding their overall digital experience. Moreover, account security is now one of the biggest drivers of overall customer satisfaction with retirement account digital tools, alongside core usability and design features such as visual appeal, navigation and speed."  MORE >>

"Cyber-attacks on Section 401(k) plans and their participant accounts are not only increasing in number but, with the use of AI, they are increasing in sophistication. Plan fiduciaries ... need to take steps to protect plan assets from these risks by implementing appropriate cybersecurity measures. All employees (not just HR staff) need to be aware of cybersecurity risks because those risks cannot be managed solely by IT security protocols such as secure messaging and multi-factor authentication."  MORE >>

"In its ongoing efforts to bolster cybersecurity in ERISA-covered plans, the [DOL] has issued multiple layers of guidance, one of which is a set of Online Security Tips.... These tips aren't directed at plan sponsors or fiduciaries, but the DOL, including them in the broader cybersecurity release, implies a clear expectation: you should inform your participants."  MORE >>

"Over the past decade, the electronic health record (EHR) market has become increasingly consolidated, with the majority of care delivery organizations now using one of two vendors ... This consolidation creates a 'single-point-of-failure' tail risk for cybersecurity ... Given that reversing consolidation is unlikely due to high EHR switching costs, it is critical that policymakers establish safeguards that ensure robust protections for patients' sensitive data.... Sustained investment in regulatory oversight and continued partnerships between policymakers, care delivery organizations, and EHR vendors are essential to contain the catastrophic risk involved from this ongoing market consolidation."  MORE >>