Skip to content

Insights

Expanded Cybersecurity Guidance From the DOL

In 2021, the Department of Labor (DOL) issued guidance providing best practices in cybersecurity for employers, plan sponsors, fiduciaries, service providers, and plan participants; however, there was continued uncertainty as to whether it applied only to retirement plans. In response, on September 6, 2024, the DOL issued Compliance Assistance Release No. 2024-01, which confirms that the previous cybersecurity guidance applies to all employee benefit plans, including health and welfare plans. With cyber risks constantly evolving, the update highlights the importance of implementing robust security practices to protect participant information and plan assets.

Similar to the original guidance, the updated version is divided into three parts:

  1. Tips for Hiring a Service Provider – Helps plan sponsors and other fiduciaries prudently select service providers with strong cybersecurity practices and monitor their activities. The DOL advises fiduciaries to ask about the service provider’s information security standards, practices and policies, and audit results, and compare these to the industry standards adopted by other financial or health institutions.
  2. Cybersecurity Program Best Practices – Focuses on assisting plan fiduciaries in their responsibilities to manage cybersecurity risks by hiring service providers that follow certain best practices.
  3. Online Security Tips – Directed at plan participants and beneficiaries who check their retirement accounts or other employee benefit plan information online and is designed to reduce their risk of fraud and loss via strong and unique passwords and multifactor authentication.

Although they generally outsource their ERISA plan administration to service providers, it is important to remember that, as plan fiduciaries, employers and plan sponsors are obligated to act prudently and in the best interests of plan participants and beneficiaries, which includes taking necessary precautions to protect sensitive data from cybersecurity risks. The following are some actions that employers, plan sponsors, and fiduciaries should consider:

  • Conduct due diligence by asking for information on service providers’ cybersecurity policies, audits, and breach history. Include clear cybersecurity terms in contracts and ensure vendors have applicable insurance coverage.
  • Provide privacy and security training for all employees, especially internal team members with access to sensitive data.
  • Implement comprehensive cybersecurity policies that align with DOL and Health and Human Services (HHS) guidelines.
  • Consider performing a self-audit or hiring a cybersecurity expert to assess and improve company/organization cybersecurity practices. Health and welfare plans should consider HIPAA privacy and security requirements.
  • Consult with experienced legal counsel and information security professionals, as necessary.

Even though the new cybersecurity guidance was offered as a recommendation, the DOL will likely expect all ERISA plans to adhere to it. In addition, it is probable that the DOL will increase its focus on data privacy/security issues when conducting audits or investigations on all employee benefit plans in the very near future.

Please contact us if you have questions about the information outlined above; our seasoned and experienced employee benefit plan professionals are here to help. You can also learn more on our Employee Benefit Plan services page.

About the Author

Steph Kramer

Steph joined McKonly & Asbury in 2016 and is currently a Manager in the firm’s Audit & Assurance Segment. Steph audits a broad spectrum of employee benefit plans, including 401(k), 403(b), retirement, profit sharing, health and… Read more

Subscribe to Our Newsletter