Latest news with #EconomicImpactStudy

Business Journals

New Texas cyber law shields Austin's small businesses, yet employee benefit plan risks persist

It's not a shock that Austin, with its vibrant culture and innovative spirit, continues to see impressive investments in the city's economy. According to recent data from Austin's Economic Development Department, the city saw transformative growth in 2024, adding 28,500 jobs annually, further cementing its reputation as one of the top U.S. hubs for entrepreneurs, startups, and small and mid-market business density. Additional findings by a 2022 Economic Impact Study by the Texas Governor's Office of Economic Development and Tourism point to just how far the state and popular cities like Austin has come, comparing Texas' entrepreneurial ecosystem to national innovation hubs comparable to California and New York, placing Austin as the 5th fastest-growing major metro. With rapid expansion comes growing pains along with fresh challenges, especially in today's digital landscape where cybersecurity has become no longer just an IT issue, but a focus area for many of the city's companies. For Austin's small and mid-sized businesses (SMBs), who are not immune to cyber threats, managing cybersecurity risk has become a strategic priority. This is particularly critical for organizations that oversee employee benefit plans (EBPs), which contain highly sensitive personal, financial, and health-related data, making them attractive targets for cybercriminals. As regulatory scrutiny tightens and cyber threats grow more sophisticated, SMBs must reassess how they're managing cybersecurity risk—particularly when plan administration is handled in-house or outsourced to third-party administrators (TPAs). Now, with new state laws like Texas Senate Bill 2610 reinforcing the importance of having a cybersecurity framework in place, the stakes for protecting benefit plans remain crucial. SMBs are particularly vulnerable due to limited IT budgets, rapid scaling, outsourced HR and payroll functions, and reliance on hybrid cloud infrastructure. Many smaller firms assume they're 'too small to hack,' but attackers often view them as ideal entry points due to lighter security protocols and a lack of internal expertise. The U.S. Department of Labor has reaffirmed that cybersecurity is not just a best practice—it's a fiduciary responsibility under the Employee Retirement Income Security Act of 1974 (ERISA). This applies to all health, welfare, and retirement benefit plans. In other words, weak cybersecurity protections for benefit plans could expose SMBs to both legal and reputational risks. New Texas Cyber Law: A Step in the Right Direction Recognizing the growing threat, Texas lawmakers recently passed Senate Bill 2610, a cybersecurity safe harbor law for SMBs with fewer than 250 employees. Signed by Governor Greg Abbott, the law shields businesses from exemplary (punitive) damages in data breach lawsuits—if they can demonstrate the implementation of a cybersecurity program that meets certain standards. To qualify, businesses must adopt safeguards (technical, administrative, and physical) and follow an industry-recognized cybersecurity framework. The law scales requirements based on company size: Firms with fewer than 20 employees must follow simplified protocols like password policies and basic training. Firms with 20–99 employees must adopt baseline security controls like the CIS Controls IG1. Firms with 100–249 employees must implement comprehensive frameworks such as NIST CSF or HITRUST CSF. This law, effective September 1, 2025, doesn't eliminate liability—but it does limit financial exposure if businesses take proactive steps. Practical Safeguards for SMB Benefit Plans While legal protections are helpful, they're no substitute for strong cyber hygiene. SMBs—especially in tech—should treat cybersecurity for EBPs as a business-critical obligation. Here are three essential steps Austin-based organizations can take now: Assess Third-Party Risks: Review the cybersecurity posture of HR/payroll providers, benefits administrators, and any cloud-based platforms involved in storing or transmitting benefit-related data. Request SOC reports and ensure compliance with ERISA guidelines. Conduct a Cyber Risk Review Specific to EBPs: Partner with cybersecurity advisors to map where employee benefit data resides, who has access to it, and how it is secured. Identify gaps in encryption, access control, or data retention policies. Educate Staff and Establish Protocols: Equip both HR and IT teams with training on phishing attacks, password management, and insider threats. Align policies around who manages plan data and what happens in the event of a breach. The Bottom Line As Austin's market adjusts to a new phase of economic growth in 2025, cybersecurity cannot be an afterthought—especially when it comes to employee benefit plans. By aligning with evolving federal and state guidelines, and taking smart, scalable steps to protect employee benefit data, Austin-based SMBs can safeguard their reputation, avoid costly breaches, and demonstrate a commitment to the long-term wellbeing of their workforce. Listen, then advise. That's what makes Miller Kaplan one of the top-100 certified public accounting firms in the United States. Established in 1941, Miller Kaplan has been providing audit, accounting, tax, business management, information security, licensing and royalties, industry metrics, and consulting services, to individuals, businesses, fiduciaries, and tax-exempt organizations for more than 80 years. Visit for more information. Mark started in public accounting nearly 30 years ago, performing audit, exempt-return, and other specialty services for employee benefit plans, labor unions, and nonprofit organizations. Now, Mark leverages his significant experience dealing with complex financial and operational matters to better serve his clients. As a former Chief Information Officer (CIO) and Chief Information Security Officer (CISO), David brings a holistic, highly integrated, and deeply disciplined view of information management to his work. He provides his clients with information security management support while helping them achieve optimal usage of their technologies.