2025 Open Enrollment Checklist
August 2, 2024
2025 Open Enrollment Checklist

To get ready for open enrollment, employers who sponsor group health plans should be aware of compliance changes affecting the design and administration of their health plans for plan years beginning on or after Jan. 1, 2025. These changes include limits that are adjusted for inflation each year, such as the Affordable Care Act’s (ACA) affordability percentage and cost-sharing limits for high deductible health plans (HDHPs). Employers should review their health plan’s design to confirm that it has been updated, as necessary, for these changes.


In addition, any changes to a health plan’s benefits for the 2025 plan year should be communicated to plan participants through an updated summary plan description (SPD) or a summary of material modifications (SMM).


Health plan sponsors should also confirm that their open enrollment materials contain certain required participant notices, such as the summary of benefits and coverage (SBC), when applicable. Some participant notices must also be provided annually or upon initial enrollment. To minimize costs and streamline administration, employers should consider including these notices in their open enrollment materials.


Plan Design Changes

ACA Affordability Standard

The ACA requires ALEs to offer affordable, minimum-value health coverage to their full-time employees (and dependents) or risk paying a penalty to the IRS. This employer mandate is also known as the “pay-or-play” rules. An ALE is an employer with at least 50 full-time employees, including full-time equivalent employees, during the preceding calendar year.


An ALE’s health coverage is considered affordable if the employee’s required contribution for the lowest cost self-only coverage that provides minimum value does not exceed 9.5% (as adjusted) of the employee’s household income for the taxable year. For plan years beginning in 2024, the adjusted affordability percentage is 8.39%.


The affordability percentage for plan years beginning on or after Jan. 1, 2025, has not been released yet. Going forward, ALEs should take the following steps:


  • Monitor future developments for the IRS’ release of the affordability percentage for 2025; and
  • Once the affordability percentage is released, confirm that at least one of the health plans offered to full-time employees satisfies the ACA’s affordability standard. Because an employer generally will not know an employee’s household income, the IRS has provided three optional safe harbors that ALEs may use to determine affordability based on information that is available to them: the Form W-2 safe harbor, the rate-of-pay safe harbor and the federal poverty line safe harbor.


Out-of-Pocket Maximum Limits

Non-grandfathered health plans and health insurance issuers are subject to limits on cost sharing for essential health benefits (EHB). EHBs reflect the scope of benefits covered by a typical employer plan and must include items and services in 10 general categories, including emergency services, hospitalization, ambulatory patient services, prescription drugs, pregnancy, maternity and newborn care, mental health and substance use disorder services, rehabilitative and habilitative services, laboratory services, preventive and wellness services and chronic disease management, and pediatric services.


The annual limits on total enrollee cost sharing for EHB for plan years beginning on or after Jan. 1, 2025, are $9,200 for self-only coverage and $18,400 for family coverage. With this in mind, employers should take the following steps:


  • Review the out-of-pocket maximum limits for the health plan to ensure they comply with the ACA’s limits for the 2025 plan year; and
  • Keep in mind that the out-of-pocket maximum limits for HDHPs compatible with HSAs must be lower than the ACA’s limits. For the 2025 plan year, the out-of-pocket maximum limits for HDHPs are $8,300 for self-only coverage and $16,600 for family coverage.


Preventive Care Benefits

The ACA requires non-grandfathered health plans and issuers to cover a set of recommended preventive services without imposing cost-sharing requirements, such as deductibles, copayments or coinsurance, when the services are provided by in-network providers. The recommended preventive care services covered by these requirements are:


  • Evidence-based items or services with an A or B rating in recommendations of the U.S. Preventive Services Task Force;
  • Immunizations recommended by the Advisory Committee on Immunization Practices for routine use in children, adolescents and adults;
  • Evidence-informed preventive care and screenings in guidelines supported by the Health Resources and Services Administration (HRSA) for infants, children and adolescents; and
  • Other evidence-informed preventive care and screenings in HRSA-supported guidelines for women.


Health plans and issuers are required to adjust their first-dollar coverage of preventive care services based on the latest preventive care recommendations. In general, coverage must be provided for a newly recommended preventive health service or item for plan years beginning on or after the one-year anniversary of when the recommendation was issued. For example, health plans and issuers must cover screenings for anxiety disorders in adults, including pregnant and postpartum patients, effective for plan years beginning on or after June 30, 2024 (e.g., the plan year beginning Jan. 1, 2025, for calendar-year plans). More information on the recommended preventive care services is available at www.HealthCare.gov.


Before the beginning of the 2025 plan year, employers should take the following step:


  • Confirm the health plan covers the latest recommended preventive care services without imposing any cost sharing when the care is provided by in-network providers.


Health FSA Contributions

The ACA imposes a dollar limit on employees’ pre-tax contributions to a health FSA. This limit is indexed each year for cost-of-living adjustments. An employer may set their own dollar limit on employees’ contributions to a health FSA as long as the employer’s limit does not exceed the ACA’s maximum limit in effect for the plan year. For plan years beginning in 2024, the health FSA limit is $3,200. The IRS has not yet released the health FSA limit for plan years beginning in 2025. Moving forward, employers with health FSAs should take these steps:


  • Monitor future developments for the release of the health FSA limit for 2025;
  • Once the IRS releases the health FSA limit, confirm that employees will not be allowed to make pre-tax contributions in excess of the limit for the 2025 plan year; and
  • Communicate the health FSA limit to employees as part of the open enrollment process.


HDHP and HSA Limits

The IRS limits for HSA contributions, HDHP minimum deductibles and HDHP maximum out-of-pocket expenses all increase for 2025. The HSA contribution limits will increase effective Jan. 1, 2025, while the HDHP cost-sharing limits will increase effective for plan years beginning on or after Jan. 1, 2025. Looking ahead, employers should take these steps:



  • Check whether HDHP cost-sharing limits need to be adjusted for the 2025 limits; and
  • Communicate HSA contribution limits for 2025 to employees as part of the enrollment process.


The following table contains the HDHP and HSA limits for 2025 compared to 2024. It also includes the catch-up contribution limit that applies to HSA-eligible individuals age 55 and older, which is not adjusted for inflation and stays the same from year to year.

HDHPs: Expiration of Design Options

To be eligible for HSA contributions for a month, an individual must be covered under an HDHP as of the first day of the month and have no other impermissible coverage. In general, except for preventive care benefits, no benefits can be paid by an HDHP until the minimum annual deductible has been satisfied. However, there are a few narrow exceptions to the minimum deductible requirement, including the following exceptions that are expiring:


  • For plan years ending after Dec. 31, 2024, an HDHP is no longer permitted to provide benefits for COVID-19 testing and treatment without a deductible (or with a deductible below the minimum deductible for an HDHP); and
  • For plan years beginning on or after Jan. 1, 2025, an HDHP is no longer permitted to provide benefits for telehealth or other remote care services before plan deductibles have been met.


Due to these changes, employers with HDHPs should take these steps for plan years beginning in 2025:


  • Confirm that HDHPs will not pay benefits for COVID-19 testing and treatment before the annual minimum deductible has been met;
  • Confirm that HDHPs will not pay benefits for telehealth or other remote care services (except for preventive care benefits) before the annual minimum deductible has been met; and
  • Notify plan participants of any changes for the 2025 plan year regarding COVID-19 testing and treatment and telehealth services through an updated SPD or SMM.


EBHRA Limit

An excepted benefit health reimbursement arrangement (EBHRA) is an employer-funded health care account that reimburses employees for their eligible medical expenses on a tax-free basis. Employers can use EBHRAs to supplement their traditional group health plan coverage and help employees with their out-of-pocket medical expenses, including deductible, copayment and coinsurance amounts. Employers of all sizes may offer EBHRAs. Although an employer must offer a traditional group health plan, employees are not required to enroll in the employer’s group coverage (or any other type of coverage) to be eligible for the EBHRA.


Only employers can contribute to HRAs, including EBHRAs. EBHRAs are subject to a maximum amount that may be made newly available for the plan year. This maximum amount is adjusted annually for inflation. For 2024 plan years, the contribution limit is $2,100. This limit increases to $2,150 for plan years beginning in 2025.


Employers that sponsor EBHRAs should take the following steps:


  • Decide how much will be contributed to the EBHRA for eligible employees for the 2025 plan year, up to a maximum of $2,150; and
  • Communicate the EHBRA’s annual benefit amount to employees as part of the open enrollment process.


Mental Health Parity – Required Comparative Analysis for NQTLs

The Mental Health Parity and Addiction Equity Act (MHPAEA) requires parity between a group health plan’s medical/surgical benefits and its mental health or substance use disorder (MH/SUD) benefits. These parity requirements apply to financial requirements and treatment limits for MH/SUD benefits. In addition, any nonquantitative treatment limitations (NQTLs) placed on MH/SUD benefits must comply with MHPAEA’s parity requirements. For example, NQTLs include prior authorization, step therapy protocols, network adequacy and medical necessity criteria.


MHPAEA requires health plans and issuers to conduct comparative analyses of the NQTLs used for medical/surgical benefits compared to MH/SUD benefits. This analysis must contain a detailed, written and reasoned explanation of the specific plan terms and practices at issue and include the basis for the plan’s or issuer’s conclusion that the NQTLs comply with MHPAEA. Plans and issuers must make their comparative analyses available to specific federal agencies or applicable state authorities upon request. In recent years, the U.S. Department of Labor (DOL) has made MHPAEA compliance a top enforcement priority, with a primary focus being MHPAEA’s parity requirements for NQTLs. Considering this information, employers should take the following step:


  • Reach out to health plan issuers (or third-party administrators) to confirm that comparative analyses of NQTLs will be updated, if necessary, for the plan year beginning in 2025.


Prescription Drug Benefits – Creditable Coverage Determination

The Inflation Reduction Act of 2022 (IRA) includes several cost-reduction provisions affecting Medicare Part D plans, which may impact the creditable coverage status of employer-sponsored prescription drug coverage beginning in 2025. For example, effective for 2025, Medicare enrollees’ out-of-pocket costs for prescription drugs will be capped at $2,000.


Employers that provide prescription drug coverage to individuals who are eligible for Medicare Part D must inform these individuals and the Centers for Medicare and Medicaid Services (CMS) whether their prescription drug coverage is creditable, meaning that the employer’s prescription drug coverage is at least as good as Medicare Part D coverage. These disclosures must be provided on an annual basis and at certain other designated times, including when there is a change to a prescription drug benefit’s creditable coverage status.


Previously, CMS stated that one of the methods for determining whether coverage is creditable (the “simplified determination” method) would no longer be valid as of calendar year 2025, given the significant changes made to Medicare Part D by the IRA. However, CMS subsequently decided that it will continue to permit the use of the simplified determination methodology, without modification, for calendar year 2025 for group health plan sponsors who are not applying for the retiree drug subsidy.


Due to these developments, employers should take the following steps:


  • Confirm whether their health plans’ prescription drug coverage for 2025 is creditable or noncreditable as soon as possible to prepare to send the appropriate Medicare Part D disclosure notices; and
  • Continue to utilize the simplified determination method for determining whether prescription drug coverage is creditable for 2025, if applicable.


Open Enrollment Notices

Employers who sponsor group health plans should provide certain benefits notices in connection with their plans’ open enrollment periods. Some of these notices must be provided at open enrollment time, such as the SBC. Other notices, such as the WHCRA notice, must be distributed annually. Although these annual notices may be provided at different times throughout the year, employers often choose to include them in their open enrollment materials for administrative convenience.


In addition, employers should review their open enrollment materials to confirm that they accurately reflect the terms and cost of coverage. In general, any plan design changes for 2025 should be communicated to plan participants either through an updated SPD or an SMM.


Summary of Benefits and Coverage

The ACA requires health plans and health insurance issuers to provide an SBC to applicants and enrollees each year at open enrollment or renewal time. Federal agencies have provided a template for the SBC, which health plans and issuers are required to use. To comply with the SBC requirements, employers should include an updated SBC with open enrollment materials.


Take note that the plan administrator is responsible for providing the SBC for self-funded plans. For insured plans, the issuer usually prepares the SBC. If the issuer prepares the SBC, an employer is not required to also prepare an SBC for the health plan, although they may need to distribute the SBC prepared by the issuer.


Medicare Part D Notices

Group health plan sponsors must provide a notice of creditable or noncreditable prescription drug coverage to Medicare Part D-eligible individuals covered by, or who apply for, prescription drug coverage under the health plan. This creditable coverage notice alerts individuals about whether their prescription drug coverage is at least as good as the Medicare Part D coverage. The notice generally must be provided at various times, including when an individual enrolls in the plan and each year before Oct. 15 (when the Medicare annual open enrollment period begins). Model notices are available on the Centers for Medicare and Medicaid Services’ website.


Annual CHIP Notices

Group health plans covering residents in a state that provides a premium subsidy to low-income children and their families to help pay for employer-sponsored coverage must send an annual CHIP notice about the available assistance to all employees residing in that state. The DOL has provided a model notice. Employers should confirm they are using the most recent model notice, as the DOL updates it regularly.


Initial COBRA Notices

COBRA applies to employers with 20 or more employees who sponsor group health plans. Group health plan administrators must provide an initial COBRA notice to new participants and certain dependents within 90 days after plan coverage begins. The initial COBRA notice may be incorporated into the plan’s SPD. A model initial COBRA notice is available from the DOL.


SPDs

Plan administrators must provide an SPD to new participants within 90 days after plan coverage begins. Any changes made to the plan should be reflected in an updated SPD booklet or described to participants through an SMM. Also, an updated SPD must be furnished every five years if changes are made to SPD information or the plan is amended. Otherwise, a new SPD must be provided every 10 years.


Notices of Patient Protections

Under the ACA, group health plans and issuers that require the designation of a participating primary care provider must permit each participant, beneficiary and enrollee to designate any available participating primary care provider (including a pediatrician for children). Additionally, plans and issuers that provide obstetrical/gynecological care and require a designation of a participating primary care provider may not require preauthorization or referral for such care. If a health plan requires participants to designate a participating primary care provider, the plan or issuer must provide a notice of these patient protections whenever the SPD or similar description of benefits is provided to a participant. If an employer’s plan is subject to this notice requirement, they should confirm that it is included in the plan’s open enrollment materials. This notice may be included in the plan’s SPD. Model language is available from the DOL.


Grandfathered Plan Notices

If an employer has a grandfathered plan, they should make sure to include information about the plan’s grandfathered status in plan materials describing the coverage under the plan, such as SPDs and open enrollment materials. Model language is available from the DOL.


Notices of HIPAA Special Enrollment Rights

At or before the time of enrollment, an employer’s group health plan must provide each eligible employee with a notice of their special enrollment rights under HIPAA. This notice may be included in the plan’s SPD.


HIPAA Privacy Notices

The HIPAA Privacy Rule requires covered entities (including group health plans and issuers) to provide a Notice of Privacy Practices (or Privacy Notice) to each individual who is the subject of protected health information (PHI). Health plans are required to send the Privacy Notice at certain times, including to new enrollees at the time of enrollment. Also, at least once every three years, health plans must either redistribute the Privacy Notice or notify participants that the Privacy Notice is available and explain how to obtain a copy.


Self-insured health plans must maintain and provide their own Privacy Notices. However, special rules apply for fully insured plans, where the health insurance issuer, not the plan itself, is primarily responsible for the Privacy Notice.


Special Rules for Fully Insured Plans

The sponsor of a fully insured health plan has limited responsibilities with respect to the Privacy Notice, including the following:


  • If the sponsor of a fully insured plan has access to PHI for plan administrative functions, they are required to maintain a Privacy Notice and provide the notice upon request; and
  • If the sponsor of a fully insured plan does not have access to PHI for plan administrative functions, they are not required to maintain or provide a Privacy Notice.


A plan sponsor’s access to enrollment information, summary health information and PHI that is released pursuant to a HIPAA authorization does not qualify as having access to PHI for plan administration purposes.


Model Privacy Notices are available through the U.S. Department of Health and Human Services.


WHCRA Notices

Plans and issuers must provide a notice of participants’ rights to mastectomy-related benefits under the WHCRA at the time of enrollment and on an annual basis. The DOL’s compliance assistance guide includes model language for this disclosure.


SARs

Plan administrators required to file Form 5500 must provide participants with a narrative summary of the information in Form 5500, called a summary annual report (SAR). Group health plans that are unfunded (that is, benefits are payable from the employer’s general assets and not through an insurance policy or trust) are not subject to the SAR requirement. The plan administrator generally must provide the SAR within nine months of the close of the plan year. If an extension of time to file Form 5500 is obtained, the plan administrator must furnish the SAR within two months after the close of the extension period. A model notice is available from the DOL.


Wellness Program Notices

Group health plans that include wellness programs may be required to provide certain notices regarding the program’s design. As a general rule, these notices should be provided when the wellness program is communicated to employees and before employees provide any health-related information or undergo medical examinations. These notices are required in the following situations:


  • HIPAA Wellness Program Notice—HIPAA imposes a notice requirement on health-contingent wellness programs offered under group health plans. Health-contingent wellness plans require individuals to satisfy standards related to health factors (e.g., not smoking) to obtain rewards. The notice must disclose the availability of a reasonable alternative standard to qualify for the reward (and, if applicable, the possibility of waiver of the otherwise applicable standard) in all plan materials describing the terms of a health-contingent wellness program. The DOL’s compliance assistance guide includes a model notice that can be used to satisfy this requirement.
  • Americans with Disabilities Act (ADA) Wellness Program Notice—Employers with 15 or more employees are subject to the ADA. Wellness programs that include health-related questions or medical exams must comply with the ADA’s requirements, including an employee notice requirement. Employers must give participating employees þ a notice that tells them what information will be collected as part of the wellness program, with whom it will be shared and for what purpose, as well as includes the limits on disclosure and the way information will be kept confidential. The U.S. Equal Employment Opportunity Commission has provided a sample notice to help employers comply with this ADA requirement.


ICHRA Notices

Employers may use individual coverage health reimbursement arrangements (ICHRAs) to reimburse their eligible employees for insurance policies purchased in the individual market or for Medicare premiums. Employers with ICHRAs must provide a notice to eligible participants about the ICHRA and its interaction with the ACA’s premium tax credit. In general, this notice must be provided at least 90 days before the beginning of each plan year. Employers may provide this notice at open enrollment time if it is at least 90 days prior to the beginning of the plan year. A model notice is available for employers to use to satisfy this notice requirement.


LINKS AND RESOURCES

Sign up for our newsletter.

Your Medicare Plan Is Discontinued: What’s Next?

October 14, 2025
If you recently received notice that your Medicare plan, or Medicare Advantage plan, is being discontinued, you’re not alone. Across the country (and right here in New York), insurers are scaling back or exiting less profitable markets ( Kiplinger ). While this can feel stressful, there are steps you can take to make sure your coverage doesn’t lapse and to find a better plan for your health and budget. Why Are Plans Being Discontinued? A mix of financial pressure, federal reimbursement changes, and rising health costs is driving insurers to reduce their Medicare Advantage footprints: Some major insurers are cutting back or exiting entire counties. For example, UnitedHealth announced it will discontinue its Medicare Advantage presence in 109 U.S. counties in 2026, according to Reuters . Local carriers in New York are also making changes: MVP is dropping several plans, and CDPHP is eliminating certain drug-coverage options, the Times Union explains . These shifts are happening alongside tighter government funding and increased regulatory strain. Because insurers must absorb the extra cost of covering benefits while meeting regulatory caps (for example, on prescription drug out-of-pocket limits), some plans become financially unsustainable and are discontinued ( the Kaiser Family Foundation ). Steps to Take if Your Plan Is Discontinued Here’s how to act so you don’t lose coverage: 1. Review the notice you received carefully Your insurer is required to send you a non-renewal or discontinuance notice. It often includes deadlines, whether you can enroll through a Special Enrollment Period (SEP), and what options you have. 2. Note the relevant enrollment period The Annual Enrollment Period (AEP) runs October 15 to December 7, 2025 , during which you can switch Medicare Advantage or Part D plans. If your plan was discontinued, some notices allow you to select a new plan until December 31 without penalty. In limited cases, you may qualify for a Special Enrollment Period (SEP) following the discontinuation. 3. Research your options early Don’t wait until the last minute. Compare plans available in your area. Key things to look at: Provider networks: Will your doctors still be covered? Drug formularies: Does the plan cover your medications and at what cost? Premiums, deductibles, and out-of-pocket max: These can vary significantly. Benefit trade-offs: Some plans reduce supplemental benefits (vision, dental, wellness perks) when trying to maintain financial viability. 4. Enroll in the new plan Submit your enrollment by the relevant deadline (typically December 7 for the Annual Enrollment Period (AEP). However, If your plan was discontinued, you may have until December 31 to choose a new one without penalty). Make sure the new plan starts January 1 to avoid coverage gaps. 5. If your plan wasn’t discontinued, still review Even if your current plan remains active, benefits, networks, and costs often change each year. It’s wise to compare alternatives anyway, especially after insurer shake-ups. Why Timing & Support Matter Delays cost you: Failing to enroll by deadlines could mean losing drug coverage or being locked into a less ideal plan. Support can ease the burden: Licensed agents can help you compare side-by-side, explain trade-offs, and guide you through enrollment. You deserve the best match: Everyone’s health and financial needs differ. Don’t settle for the first available option unless it truly fits. How Simco Can Help At Simco, we understand the stress of sudden plan changes. Our licensed insurance advisors are ready to: Help you interpret your discontinuance notice Compare plan options available in your area Assist with enrollment paperwork Explain benefit trade-offs and cost implications You don’t have to navigate this alone. Whether your Medicare Advantage plan was discontinued or you’re simply exploring your options, our team is here to support you. Contact us today to schedule a 1-on-1 consultation, and let us help you find the plan that keeps you covered and confident in 2026 and beyond.

isolved Named #1 for SMBs Across the Employee Lifecycle

October 3, 2025
At Simco, we’re proud to be a trusted isolved Network Partner , which means the Human Capital Management (HCM) technology we deliver to our clients is powered by isolved People Cloud™. And now there’s even more reason to celebrate: isolved has been recognized as the #1 SMB HCM provider across the entire employee lifecycle in Sapient Insights Group’s 28th Annual HR Systems Survey. This annual survey is one of the most respected benchmarks in the HR technology industry. With feedback from over 4,500 HR professionals, Sapient Insights captures the real voice of the customer by evaluating vendors across two critical areas: User Experience (UX) and Vendor Satisfaction (VS). isolved earned an impressive 38 badges this year, the most awarded SMB vendor for the second year in a row, and ranked #1 in 13 different SMB categories . Breaking Down the Results isolved’s recognition wasn’t limited to a single function. It spanned the entire employee lifecycle, covering everything from payroll and benefits to recruiting and workforce management. Highlights from the survey include: Payroll — Ranked #1 in both User Experience and Vendor Satisfaction for SMBs Core HR — #1 in Vendor Satisfaction Benefits — #1 in User Experience Recruiting — #1 in both User Experience and Vendor Satisfaction Time & Attendance — #1 in both User Experience and Vendor Satisfaction Skills Management — #1 in User Experience Rewards & Recognition — #1 in User Experience In addition, isolved placed in the Top 5 across numerous other categories like onboarding, learning, performance management, workforce scheduling, and contingent management. What does this mean? isolved’s solution isn’t just strong in one area, it’s consistently delivering across all the areas that matter most for small and mid-sized businesses. Why This Matters for SMBs Today’s SMBs face more challenges than ever. Recruiting is competitive, employee expectations are higher, and compliance requirements grow more complex every year. Business owners often find themselves piecing together multiple vendors to handle payroll, HR, benefits, and insurance, adding complexity and risk. isolved’s sweep across the Sapient Insights report shows that SMBs no longer have to choose between great payroll software and effective talent tools, or between benefits management and workforce scheduling. With isolved, the technology already covers the full employee lifecycle, validated by real-world HR pros. From Recognition to Results isolved’s 38 badges and top rankings validate what our clients experience every day: Accuracy and trust in payroll with fewer errors and compliance risks. Simplified benefits administration that keeps employees happy and businesses competitive. Recruiting and onboarding tools that make hiring more effective. Time and scheduling solutions that align workforce needs with operational efficiency. These results aren’t just about technology; they’re about enabling SMBs to compete, thrive, and support their people better. The Simco Advantage: More Than Just Software Here’s the ultimate key: technology is only half of the solution. Technology is powerful, but the real impact comes from how it’s put into practice. At Simco, we go beyond simply providing software. We deliver a fully integrated HCM and advisory solution that ties every part of workforce management together. Here’s what sets us apart: One Point of Contact: A dedicated resource who understands your business and ensures your HCM, HR, benefits, insurance, and retirement services work in sync. All-in-One Partner: From payroll and HR to insurance and 401(k) plans, we eliminate the hassle of juggling multiple vendors. Advisory + Optimization: We don’t just implement technology. We guide you in using it to strengthen compliance, employee engagement, and growth strategies. As your business grows, your needs change. By pairing isolved’s award-winning technology with Simco’s hands-on expertise, we help you stay ahead, operate more efficiently, and build better employee experiences. Key Takeaways isolved’s recognition in the Sapient Insights report shows that SMBs have access to enterprise-grade HR technology tailored for their needs. And with Simco as your partner, you’ll never have to choose between the strength of your platform and the quality of your service; you’ll have both. Want to see how Simco + isolved can streamline your payroll, HR, benefits, and more? Contact us today.
Top 5 Cybersecurity Mistakes That Put Your Business at Risk

Top 5 Cybersecurity Mistakes That Put Your Business at Risk

October 1, 2025
In today’s digital-first world, small and mid-sized businesses are just as vulnerable, if not more so, than large corporations when it comes to cyberattacks. Limited budgets, fewer in-house IT resources, and the perception of being “too small to target” often leave business owners dangerously exposed. The reality? Hackers don’t discriminate based on size; they look for the easiest entry points. Here are the top five mistakes businesses make, how to avoid them, and what steps you can take today to protect your company, your employees, and your bottom line. 1. Relying on Weak or Outdated Passwords Passwords are often the first line of defense, and also the weakest. Too many businesses rely on simple or reused passwords that can be cracked in seconds with modern tools. The Modern MFA Landscape While passwords remain standard, multi-factor authentication (MFA) has become the new baseline. However, how you implement MFA matters: Avoid email for MFA codes. If a phishing attack compromises an employee’s inbox, bad actors can intercept the code and access sensitive systems. SMS is better but not bulletproof. Text messages provide an extra layer of security but can still be intercepted. Authenticator apps are the gold standard. Tools like Authy, Microsoft Authenticator, or Google Authenticator create time-based one-time codes that aren’t tied to email or SMS. Forward-looking companies are also exploring passwordless authentication, a model that reduces dependence on static credentials altogether. Until then, tightening password hygiene and upgrading MFA methods should be immediate priorities. 2. Overlooking Employee Training Even the most advanced cybersecurity tools can’t stop an employee from clicking a malicious link or downloading infected files. Human error remains the biggest vulnerability in most organizations. What Employees Need to Know Instead of broad, once-a-year sessions, ongoing training should focus on real-world risks employees face daily. Consider including: How to spot suspicious links and attachments Why “urgent” or “CEO fraud” emails are red flags Safe internet practices for remote or hybrid workers How to report suspicious activity without fear of blame Building a Culture of Cyber Awareness Cybersecurity isn’t just an IT issue; it’s a company-wide culture. Leadership should model secure behavior and celebrate employees who catch threats. Over time, security becomes second nature rather than an afterthought. 3. Neglecting Regular Software Updates Software vendors release updates for a reason: to fix vulnerabilities. Delaying or ignoring these updates gives hackers a direct pathway into your systems. The Risk of Outdated Systems Running outdated operating systems, browsers, or applications often leaves “open doors” attackers can exploit. Businesses that don’t patch quickly enough have been at the center of major breaches. Automating updates or assigning a designated IT contact for patch management ensures vulnerabilities are closed before they can be exploited. Even for smaller businesses without dedicated IT staff, outsourced providers or managed IT services can fill this role affordably. 4. Failing to Prepare an Incident Response Plan (IRP) Too many businesses wait until a breach happens to figure out how to respond. By then, panic sets in, time is lost, and the financial damage increases. Why an IRP Matters An Incident Response Plan is essentially a playbook for what your business will do in the first 24–72 hours after an attack. It should outline: Who is responsible for containment and communication Steps for isolating affected systems Legal or regulatory reporting requirements How to restore backups and resume operations Tip: Run Cybersecurity Fire Drills Just like fire drills, businesses should run simulated cyber incidents. Testing your IRP helps employees understand their roles and uncovers gaps before a real attack occurs. 5. Assuming Insurance Alone Is Enough Some business owners mistakenly believe their general liability insurance will cover cyber-related losses. Unfortunately, most policies exclude data breaches, ransomware, or social engineering scams. The Role of Cyber Liability Insurance Cyber liability insurance fills these gaps by covering costs like forensic investigations, customer notifications, legal fees, regulatory fines, and even ransom payments (where legal). For small businesses, this coverage can mean the difference between survival and bankruptcy after a breach. But insurance should never replace prevention. Instead, think of it as a financial safety net that complements strong security practices, not one that replaces them. Click here to learn more about how Simco’s Commercial Insurance team can help protect your business with cyber and data breach coverage and beyond. Secure Your Business for the Future Cybersecurity is no longer optional for businesses; it’s a core part of protecting your employees, customers, and reputation. By addressing these five common mistakes, you’ll not only reduce your risk of an attack but also build trust with clients who want assurance that their data is safe in your hands. Taking proactive steps now, including strengthening authentication, investing in training, creating an IRP, and supplementing with cyber liability insurance, can save untold amounts of money, stress, and reputational damage later.

Have a question? Get in touch.