DOL Confirms Cybersecurity Guidelines Apply to Health and Welfare Plans under ERISA
The Department of Labor’s Employee Benefits Security Administration (EBSA) has confirmed in Compliance Assistance Release No. 2024-01 that its cybersecurity guidance issued in April 2021 generally applies to all employee benefit plans, including health and welfare plans. In the prior guidance, the EBSA guidance focused on cybersecurity to mitigate risks to 401(k) and other retirement plans and to clarify that plan fiduciaries are responsible for managing cybersecurity issues. With the new guidance, the EBSA is making it clear that plan fiduciaries must monitor cybersecurity risks for all types of ERISA plans, not just retirement plans.
EBSA cybersecurity guidelines require plan fiduciaries to take appropriate precautions to mitigate the risk of harm due to cybersecurity incidents. The DOL’s cybersecurity guidance was released in three parts addressing all plans with a few minor updates to the 2021 guidelines.
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices
- Cybersecurity Program Best Practices for recordkeepers and other service providers
- Online Security Tips for plan participants and beneficiaries who check and manage their accounts online
Employer Action Items
- Conduct a cybersecurity self-audit of internal practices and safeguards (considering HIPAA compliance as well for group health plans subject to both the ERISA fiduciary guidelines for cybersecurity protections and HIPAA Privacy and Security Rules).
- Identify gaps in current plan sponsor and fiduciary practices compared to the DOL guidance and take necessary steps to ensure plan fiduciaries can fulfill obligations to protect the plan from cybersecurity risks.
- Review the Hiring Tips and conduct an audit of current vendors and recordkeepers, making sure that any future RFPs follow the outlined practices from the EBSA.
- Provide the Online Security Tips guidance to employees and plan participants.
- Document the steps taken to comply as part of the fiduciary governance process and oversight of health and welfare plans in addition to retirement plans.