DOL Confirms Cybersecurity Guidance Applies to Health & Welfare Plans

The Employee Benefits Security Administration (EBSA), part of the Department of Labor (DOL), recently published compliance assistance guidance confirming that its cybersecurity guidance from April 2021 applies to all ERISA plans, including health and welfare plans.

EBSA published this recent compliance assistance guidance in the wake of confusion amongst ERISA^[1] health and welfare plan sponsors who were informed by their plan service providers that the EBSA April 2021 cybersecurity guidance did not apply to them, but rather only to ERISA retirement plans. The DOL’s ERISA Advisory Council recommended in 2022 that the EBSA clarify that the guidance also applies to health benefit plans, resulting in this updated EBSA guidance.

This recent guidance leaves no doubt that the DOL cybersecurity guidance from April 2021 applies to ERISA health and welfare plans as well. It also provides valuable resources, tips, and best practices for all ERISA plans to follow in their fiduciary efforts to protect plan data, personal information, and plan assets.

Notably, the guidance includes links to the following resources for employers sponsoring ERISA benefit plans, including health and welfare plans:

• Tips for Hiring a Service Provider:

  Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as required under ERISA.

  Key tips include:

  • Asking about the service provider’s information security standards, practices and policies, and audit results, and comparing them to the industry standards adopted by other organizations;
  • Validating implemented security standards;
  • Evaluating the service provider’s track record, including its history of security incidents and breaches;
  • Confirming whether the service provider has cybersecurity and identity-theft insurance; and
  • Documenting contractual provisions for cybersecurity and information security standards.

• Cybersecurity Program Best Practices:

  Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.

  Below is a summary of the best practices (discussed in greater detail in the guidance document):

  1. Have a formal, well-documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third-party audit of security controls.
  4. Clearly define and assign information security roles and responsibilities.
  5. Have strong access control procedures.
  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
  7. Conduct periodic cybersecurity awareness training.
  8. Implement and manage a secure system development life cycle (SDLC) program.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  10. Encrypt sensitive data, stored and in transit.
  11. Implement strong technical controls in accordance with best security practices.
  12. Appropriately respond to any past cybersecurity incidents.

• Online Security Tips:

  Offers plan participants and beneficiaries who check their retirement accounts or other employee benefit plan information online basic rules to reduce the risk of fraud and loss, such as:

  • using strong and unique passwords/passphrases
  • using multi-factor authentication
  • closing/deleting unused accounts
  • using a cellphone or home network instead of free Wi-Fi networks, and
  • watching out for phishing attacks.

Employer Takeaways

ERISA health and welfare and retirement benefit plans, which contain sensitive personal data of their plan participants, continue to serve as enticing targets for bad actors. As a result, employers sponsoring all types of ERISA benefit plans are advised to review the updated guidance and resources carefully, and follow the tips and recommended best practices to protect their plans’ data and information.

As reports of data breaches, hacks, and other technology-related incidents become increasingly ubiquitous, this clarifying guidance underscores the DOL’s continued focus on ERISA plans’ cybersecurity risk mitigation measures to protect their plans. As stated in the accompanying EBSA press release, EBSA “believes cybersecurity is a great concern for all employee benefit plans and we continue to investigate potential ERISA violations related to the issue.”

Employers are encouraged to take advantage of this updated EBSA guidance to understand their plans’ cybersecurity requirements and bolster their plans’ cybersecurity hygiene practices.

Risk Strategies is committed to keeping employers informed and up-to-date. Contact us at benefits@risk-strategies.com.

[1] ERISA refers to the Employee Retirement Income Security Act of 1974.