The outsourcing of retirement plan recordkeeping and other administrative responsibilities has increased in recent years for both defined contribution and defined benefit plans.

Partner Matthew Hawes was quoted in a recent Law360 article about strategies employers can use to safeguard their retirement plans against cybersecurity risks. Matt discusses how the lack of sufficient protections against cybersecurity breaches can been seen as a violation of fiduciary duty.

Whether due to an upcoming contract expiration, change in leadership, decline in service quality, regulatory issues, or any of the other many events that occur during an outsourcing engagement, invariably, the original agreement with the service provider must be modified.
The ERISA Advisory Council (Council) has been tackling the issue of cybersecurity as it relates to benefit plans since 2011, and just this last summer, the Council held two hearings where it heard testimony from various experts and interested parties on the issue.
The Office of Civil Rights (OCR) of the US Department of Health and Human Services (HHS) recently released guidance on cloud computing that allows entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to take advantage of cloud service providers (CSPs) while still complying with HIPAA.
Retirement plans store extensive personal data on each participant and beneficiary, ranging from Social Security numbers and addresses to dates of birth, bank account information, and other sensitive financial information.
Health plan administrators are (or certainly should be) well-versed in their obligations under the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH).
On March 21, 2016, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that it has begun the second phase of its HIPAA Audit Program.