Plan cybersecurity practices have long been a focus of the DOL and, as we previously reported here, the DOL issued guidance in 2021 regarding best practices for plan sponsors, fiduciaries, recordkeepers, and plan participants to help safeguard plan data, personal information, and plan assets (the “2021 Cybersecurity Guidance”). Since its publication, there has been confusion in the benefit plan industry about whether the 2021 Cybersecurity Guidance applies only to retirement plans or whether it also applies to health and welfare plans.
Pursuant to the DOL’s Compliance Assistance Release No. 2024-01 (the “DOL Release”), the DOL has clarified that the 2021 Cybersecurity Guidance applies to all types of ERISA plans, including health and welfare plans. With this clarification, the DOL also updated the language in its following materials from the 2021 Cybersecurity Guidance to include references to health and welfare plans:
- Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and to monitor their activities, as ERISA requires.
- Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
- Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts or other employee benefit plan information online basic rules to reduce the risk of fraud and loss.
As part of the DOL Release, the DOL also referenced publications prepared by HHS to assist health plans and their service providers in maintaining good cybersecurity practices. The DOL Release is a good reminder that both retirement and health and welfare plan sponsors should discuss cybersecurity with their plans’ service providers at least annually and should ensure that their service provider agreements include relevant cybersecurity language in accordance with the 2021 Cybersecurity Guidance.
The DOL Release is available here.