DOL Compliance Assistance Release No. 2024-01
Available at https://www.dol.gov/agencies/ebsa/key-topics/retirement-benefits/cybersecurity/compliance-assistance-release-2024-01
The DOL’s Employee Benefits Security Administration (EBSA) has updated 2021 cybersecurity guidance to confirm that it applies to health and welfare plans. The update explains that, since the issuance of the initial guidance, health and welfare plan service providers have indicated to plan fiduciaries and EBSA investigators that it applies only to retirement plans. Accordingly, EBSA has now expressly stated that the guidance applies to all ERISA plans, including health and welfare plans and all types of retirement plans.
The guidance materials—cybersecurity best practices, tips for hiring service providers, and online security tips—have been updated to include references to health and welfare plans. The best practices document reinforces that health and welfare plans (along with pension plans) can be “tempting targets for cybercriminals” because they handle participant personally identifiable data, and provides links to health care-related cybersecurity resources from HHS.
EBIA Comment: Cybersecurity concerns for employee benefit plans are not limited to retirement plans and investments. Because, as the guidance notes, plan fiduciaries have “an obligation to ensure proper mitigation of cybersecurity risks,” fiduciaries for all types of ERISA plans should study the updated materials and implement the recommended practices, which provide insight into the DOL’s expectations for fiduciaries in evaluating potential vulnerabilities and mitigating employee benefit plan cybersecurity risk. Also, in its latest report to Congress, HHS’s Office of Civil Rights (OCR) highlights that hacking/IT incidents remain the largest category of breaches, emphasizing that covered entities must improve cybersecurity readiness to avoid penalties. For more information, see EBIA’s ERISA Compliance manual at Sections XXVIII.C (“Fiduciary Responsibilities Imposed by ERISA”) and XXX.C (“The TPA Selection Process”). See also EBIA’s Self-Insured Health Plans manual at Section XXIII (“Selecting, Engaging, and Monitoring Service Providers”), EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIV.J (“Due Diligence in Hiring Business Associates”) and XXIX (“Security Requirements: General Concepts”), EBIA’s Cafeteria Plans manual at Section XVI.E (“Electronic Administration”), EBIA’s Consumer-Driven Healthcare manual at Section XXV.H (“Electronic Administration of HRAs”), and EBIA’s 401(k) Plans manual at Section XXIV.G.2 (“Selecting and Monitoring Service Providers”).
Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.
