On September 6th, 2024, the Department of Labor (DOL) issued a press release reminding ERISA plan fiduciaries that it considers cybersecurity to be an area of “great concern.” Due to a rash of cybersecurity incidents, the DOL has increased its investigations of violations in this area. The DOL also published updated cybersecurity guidance that builds on documents the Department released in 2021. Most importantly, these new publications clarify that the DOL’s cybersecurity guidelines apply to all types of ERISA plans, including health and welfare plans.
The guidance the DOL released in 2021 consists of three documents:
· Cybersecurity Program Best Practices, which includes a detailed set of twelve best practices that organizations should adopt to mitigate cybersecurity risks;
· Tips for Hiring a Service Provider with Strong Cybersecurity Practices, which offers six tips to help organizations select service providers with strong cybersecurity practices; and
· Online Security Tips, which lists nine online security tips to help individuals protect their accounts against fraud and loss.
Some service providers interpreted that this guidance only applied to retirement plans, prompting the DOL to affirm in the 2024 iteration of their guidance that the cybersecurity recommendations apply to all plans subject to ERISA. Aside from new language to this effect, the 2024 versions of the documents listed above remain largely the same. One notable enhancement is the inclusion of additional language specifying that plan sponsors should ensure their vendors’ insurance covers cybersecurity breaches and incidents involving the plan. The updated guidance now also reflects specific multifactor authentication process recommendations, a participant notification requirement if a cybersecurity breach occurs, and a list of additional cybersecurity resources.
Given the DOL’s clarification that their cybersecurity guidelines apply to all plans subject to ERISA and that they find this topic to be of great concern, we would encourage employers as plan sponsors to audit their existing cybersecurity protocols for any plan data that is stored or accessed internally against these updated requirements and recommendations and to take reasonable steps to address any gaps. In addition, the employer should confirm that their vendors/service providers are separately implementing these requirements for any plan data they handle. Doing so will help employers fulfill their fiduciary duties towards participants, highlight potential areas of improvement, and reaffirm which of their cybersecurity practices are already in alignment with DOL guidance.
Of note, while HIPAA privacy and security compliance efforts for group health plans may not address all ERISA plans sponsored by an employer, they will provide a meaningful framework to apply to any plans that fall outside HIPAA’s scope. Employers that have not yet addressed HIPAA’s privacy and security requirements, including developing written policies and procedures and conducting a HIPAA security risk analysis, may want to prioritize this in light of the updated cybersecurity guidance.