With 2025 winding down, CIO Richard Clarke of Colonial Surety offered his thoughts on what was and what lies ahead in the 401k arena. I thought I would summarize those into a list that plan sponsors can use heading into 2026. What do you think?
FOCUS AREAS
1. Governance & Fiduciary Oversight
Review and update committee charters and fiduciary designations.
Conduct a comprehensive fiduciary audit—verify roles, minutes, and process documentation.
Ensure investment policy statement (IPS) is current and consistently followed.
Document all key decisions, including forfeiture use, vendor changes, and plan design updates.
2. SECURE 2.0 & Regulatory Compliance
Prepare for 2026 Roth catch-up mandate for participants earning >$145,000.
Confirm all SECURE 2.0 provisions implemented or scheduled (auto-enrollment, student loan match, emergency withdrawals).
Monitor DOL and IRS rulemaking—particularly updates to fee disclosure, pooled employer plan oversight, and pension risk transfer guidance.
3. Investments & Alternative Assets
Evaluate exposure to private or illiquid assets—confirm due diligence and participant communications.
Review provider documentation for valuation and liquidity protocols.
Update investment committee training to reflect new asset class risks and monitoring standards.
4. Cybersecurity & Data Protection
Conduct a cyber risk assessment with all plan vendors.
Require SOC 2 reports or equivalent from recordkeepers, TPAs, and custodians.
Establish a multi-layer defense: MFA, encryption, phishing simulations, and response protocols.
Train internal staff on AI-driven phishing and fraud tactics.
5. Insurance & Risk Transfer
Verify ERISA bond coverage is up to date and meets current limits.
Obtain or review fiduciary liability insurance (consider at least $1M per plan).
Add cyber liability coverage, ideally integrated with fiduciary policy.
Review policy exclusions—especially for vendor breaches and administrative errors.
6. Vendor Management & Documentation
Benchmark recordkeeping fees and investment expenses.
Update contracts to include cybersecurity and service-level requirements.
Maintain an annual vendor review log—performance, costs, compliance, and issues.
Require incident reporting protocols from all plan service providers.
7. Participant Communication & Education
Communicate Roth catch-up change clearly to affected participants.
Provide education on cyber hygiene and account security.
Consider refreshers on rollovers, lost accounts, and emergency savings options.