On September 6, 2024, the U.S. Department of Labor (DOL) issued a Compliance Assistance Release No. 2024-01 confirming that prior cybersecurity guidance released in April 2021 applies to all plans governed by the Employee Retirement Income Security Act (ERISA), including health and welfare plans.
Although employers generally outsource their ERISA plan administration to service providers, employers still retain an obligation as plan fiduciary to act prudently and in the best interests of plan participants and beneficiaries, which includes taking necessary precautions to protect sensitive data from cybersecurity risk.
The recently updated cybersecurity guidance includes three documents:
- Tips for Hiring a Service Provider: This document provides important steps that plan sponsors and fiduciaries can take to prudently select a service provider with strong cybersecurity practices and monitor their activity as required by ERISA.
- Cybersecurity Program Best Practices: This guide provides best practices for ERISA-covered plan fiduciaries and service providers for implementing a solid cybersecurity program.
- Online Security Tips: This document suggests online security tips for plan participants with retirement accounts or other employee benefit plan information.
Of the three cybersecurity guidance documents, the first document (that provides tips for hiring a service provider) applies most directly to employers. The second document is more informational in nature and the third is directed toward plan participants. Also included in the DOL release were publications from the Department of Health and Human Services (HHS) to assist health plans and their service providers to maintain good cybersecurity practices.
Even though the new guidance was offered as a recommendation, it is likely a DOL expectation for ERISA plans. Fortunately, these tips should not come as a surprise to privacy and security professionals, as they reflect existing standards and best practices in the industry.
Employer Action
Employers that sponsor ERISA plans may want to consider the following actions:
- Review and update the vetting process for service providers.
- Audit service providers to ensure follow-through with commitments and compliance with cybersecurity requirements.
- Review service agreements to confirm sufficient cybersecurity protocols have been memorialized.
- Implement comprehensive cybersecurity policies that align with the DOL and HHS guidelines.
- Provide privacy and security training for all employees, especially internal team members with access to sensitive data.
- Consider self-audits of internal cybersecurity practices to check for potential gaps and make improvements.
- Consult with experienced legal counsel and information security professionals, as necessary.
Additional Resources
The information and materials on this blog are provided for informational purposes only and are not intended to constitute legal or tax advice. Information provided in this blog may not reflect the most current legal developments and may vary by jurisdiction. The content on this blog is for general informational purposes only and does not apply to any particular facts or circumstances. The use of this blog does not in any way establish an attorney-client relationship, nor should any such relationship be implied, and the contents do not constitute legal or tax advice. If you require legal or tax advice, please consult with a licensed attorney or tax professional in your jurisdiction. The contributing authors expressly disclaim all liability to any persons or entities with respect to any action or inaction based on the contents of this blog. © 2024 Sequoia Consulting Group. All Rights Reserved.
