News Archive

"A professional uniquely positioned to discuss cybersecurity in the context of retirement plans offers her insights on the nuances and hard realities of protecting assets, balances, sensitive information and more from unauthorized access.... She observed that 73% of the organizations that experience a breach of security experience a second one. And this, she said, 'is because they didn't identify the cause and didn't fix it.' "  MORE >>

"ERISA’s Section 404 talks about acting prudently and solely in the interest of participants. That used to mean watching fees, monitoring investments, and keeping minutes. But in 2025, prudence means locking down your participant data like it’s Fort Knox. Every Social Security number, every date of birth, every account balance—those are plan assets in digital form."  MORE >>

"Recent guidance from both the [DOL] and the New York State Department of Financial Services (DFS) underscores the importance of due diligence and ongoing oversight of ... third-party administrators (TPAs), carriers, and technology platforms ... Outsourcing the administration does not absolve you of your fiduciary duty.... Here's a checklist to guide your due diligence related to cybersecurity."  MORE >>

"[1] Cybersecurity is a fiduciary issue.... [2] Vet and tighten your vendor contracts now.... [3] Look for documentation, not just policies ... [4] Train your people, and document that training.... [5] Check your insurance, and insist on cyber coverage.... [6] Bring cybersecurity into your plan oversight meetings.... Cybersecurity isn't just an IT problem, it's an ERISA oversight issue. "  MORE >>

"62% of retirement plan website and app users say security is more important than convenience regarding their overall digital experience. Moreover, account security is now one of the biggest drivers of overall customer satisfaction with retirement account digital tools, alongside core usability and design features such as visual appeal, navigation and speed."  MORE >>

"Cyber-attacks on Section 401(k) plans and their participant accounts are not only increasing in number but, with the use of AI, they are increasing in sophistication. Plan fiduciaries ... need to take steps to protect plan assets from these risks by implementing appropriate cybersecurity measures. All employees (not just HR staff) need to be aware of cybersecurity risks because those risks cannot be managed solely by IT security protocols such as secure messaging and multi-factor authentication."  MORE >>

"In its ongoing efforts to bolster cybersecurity in ERISA-covered plans, the [DOL] has issued multiple layers of guidance, one of which is a set of Online Security Tips.... These tips aren't directed at plan sponsors or fiduciaries, but the DOL, including them in the broader cybersecurity release, implies a clear expectation: you should inform your participants."  MORE >>

"Over the past decade, the electronic health record (EHR) market has become increasingly consolidated, with the majority of care delivery organizations now using one of two vendors ... This consolidation creates a 'single-point-of-failure' tail risk for cybersecurity ... Given that reversing consolidation is unlikely due to high EHR switching costs, it is critical that policymakers establish safeguards that ensure robust protections for patients' sensitive data.... Sustained investment in regulatory oversight and continued partnerships between policymakers, care delivery organizations, and EHR vendors are essential to contain the catastrophic risk involved from this ongoing market consolidation."  MORE >>

"Personal data belonging to most of Allianz Life Insurance Co. of North America's 1.4 million U.S. customers was exposed on July 16 ... The breach was discovered one day after a 'malicious threat actor' hacked into a third-party customer relationship management system used by the insurer ... An attorney for Allianz submitted a disclosure of the breach to the office of the Maine attorney general."  MORE >>

"The DOL outlines 12 best practices that reflect key areas of responsibility for ERISA plan sponsors and service providers ... Taking steps now puts plan sponsors in a stronger position for when the guidance eventually shifts from recommendation to requirement."  MORE >>

"As a plan sponsor, taking steps to secure your plan data isn't optional, it's part of your legal duty to act in your participants' best interests.... [1] Review your vendor contracts for cybersecurity language. [2] Request and review audit reports from your service providers. [3] Implement basic security practices for your internal team. [4] Educate your participants about protecting their accounts. [5] Document your efforts as part of fiduciary oversight."  MORE >>

"[1] Establish a formal cybersecurity program ... [2] Conduct annual risk assessments ... [3] Require independent third-party audits ... [4] Define security roles and implement strong access controls ... [5] Ensure secure management of cloud services and vendors ... [6] Implement secure development practices and business resiliency programs ... [7] Encrypt sensitive data and maintain strong technical controls ... [8] Prepare for and respond to cybersecurity incidents."  MORE >>

"Begin by asking providers about their cybersecurity policies and practices. Their protocols should align with standards like NIST or ISO/IEC 27001.... Explore the provider's history of handling security incidents. Transparency is key -- ask how they've responded to breaches in the past, and check for any related legal or regulatory issues.... Strong contracts reinforce good cybersecurity."  MORE >>

"[1] Review daily, weekly, or monthly reports from the vendor's cybersecurity monitoring tools ... [2] Audit the vendor site and perform your own cybersecurity review and/or assessment. [3] Ask the vendor to provide annual copies of approved and objective third-party cybersecurity assessments. [4] Contract with your own cybersecurity experts to do penetration testing against your vendor (with your vendor's knowledge that the tests are occurring, of course)."  MORE >>

"Ransomware attacks on healthcare organizations surged in 2024, with nearly 400 US providers reporting incidents.... [H]ealthcare breaches now average $9.77 million -- the highest across all industries for the 14th year. [HHS] also noted a sharp rise in ransomware cases, driven by outdated systems, misconfigured devices, and cloud vulnerabilities.... This article outlines key strategies for healthcare organizations to prevent, respond to, and recover from ransomware incidents -- while minimizing legal exposure and reputational harm."  MORE >>

"This paper seeks to help plan sponsors understand today's rapidly changing data risk environment. [The authors] discuss how participant accounts are vulnerable to data breaches, highlight updated regulatory guidance, and offer action steps for plan committee consideration, in partnership with the plan's overall organization, consultant/advisor and counsel as needed.' [Also available: 'Take Action" Checklist]  MORE >>

"[HIPAA's] outdated definitions and narrow scope have created a gaping hole -- one that data brokers, app developers, retail pharmacies, and even your stop-loss underwriter are sprinting through with glee. And the worst part? This data dragnet ... [is] making your health plan more expensive, less accurate, and more vulnerable to being rated and lasered based on guesswork."  MORE >>

"Cybercriminals exploit weaknesses in systems, software, or human behavior to find opportunities for easy access (like compromised credentials) and steal information.... The digital nature of plan administration and the reliance on third-party service providers create ample access given the broad attack surface."  MORE >>

"This settlement highlights the critical importance of adhering to HIPAA's rules, including conducting thorough risk analyses, implementing robust security measures, and ensuring timely notifications of data breaches. It is also a reminder that ongoing vigilance is required to protect ePHI in an increasingly digital health care environment."  MORE >>

"Health and welfare plan sponsors will find that many vendors already emphasize cybersecurity.... [T]he DOL's guidance serves as a valuable checklist for sponsors to evaluate their service providers through a fiduciary lens.... [S]ponsors should assess their internal cybersecurity measures, especially if they retain sensitive plan-related data. ERISA's 'prudence' requirement hinges on adopting a sound process -- a hallmark of effective fiduciary responsibility."  MORE >>

"The more vendors you work with, the greater the chance you'll be impacted by a cybersecurity incident affecting one of them.... [E]very vendor you work with likely works with other vendors, increasing the probability that you'll be affected by an incident.... If a vendor cannot provide an objective, third-party cybersecurity assessment, like a SOC2 report or other attestation, showing that it has solid cyber protections in place, that's a red flag."  MORE >>

"Not only is the cash in retirement accounts valuable, so too is the associated personal data.... While it is impossible to eliminate the cybersecurity threats to retirement plans, sponsors need to know that as ERISA fiduciaries, they are obligated to mitigate cybersecurity threats, and ... failure to mitigate cyber threats can result in fiduciary breach allegations which put the personal assets of sponsors at risk:"  MORE >>

"Exposures such as IT supply chain dependencies, website tracking litigation, ransomware attacks, new security regulations and data breach class actions put healthcare organizations of all sizes at high risk for cyber insurance claims. Understanding trends in cyber attacks as well as the evolving regulatory and litigation environment is critical to building resilience and maximizing insurance indemnification."  MORE >>

"[1] Why 401(k) plans are prime targets ... [2] The regulatory landscape: what the DOL expects ... [3] Key actions for plan sponsors in 2025 ... [4] More than risk management: a business advantage ... [5] Looking ahead: what's next in 401(k) cybersecurity ... [6] A fiduciary duty you can't ignore."  MORE >>

"In the last week of February, six class actions were filed in the U.S. District Court for the Northern District of Illinois against [one] retirement plan administrator ... These complaints illustrate the many federal and state causes of action that can be pursued by aggrieved plaintiffs in addition to [ERISA] claims, including emotional distress, invasion of privacy and violation of consumer fraud laws. ... While no protections are 100% foolproof, [the plan administrator] might have avoided these suits by following a good written cybersecurity policy."  MORE >>