In Compliance Assistance Release No. 2024-01, the U.S. Department of Labor’s Employee Benefits Security Administration (“EBSA”) confirmed that the cybersecurity guidance it issued in April 2021 generally applies to all employee benefit plans, including health and welfare plans.
Employer Action Items
- Employers should use service providers that follow strong cybersecurity practices.
- Plan sponsors of all ERISA plans should use the six tips set out in the specific “Tips for Hiring a Service Provider”, including asking specific questions about their security standards and practices and policies as well as paying attention to specific contract terms and determining whether the service provider has adequate insurance to cover any losses.
- Employers should continue to monitor their service providers with periodic cybersecurity check-ins.
- Employers should review the “Cybersecurity Program Best Practices” for use by recordkeepers and other service providers for plan-related IT systems and data.
- Employers should consider sharing the “Online Security Tips” with their employees, including those with online benefit accounts.
Summary
In 2021, EBSA issued cybersecurity guidance to assist plan sponsors, fiduciaries, service providers, and participants in employee benefit plans to safeguard plan data, personal information, and plan assets. However, the EBSA stated that in the years since, health and welfare plan service providers have told fiduciaries and EBSA investigators that this guidance only applies to retirement plans. The Department of Labor’s ERISA Advisory Council recommended to the EBSA that they should clarify that the guidance also applies to health benefit plans. Accordingly, the EBSA issued recent compliance assistance, clarifying that the 2021 guidance also applies to health and welfare benefit plans.
The updated guidance includes “Tips for Hiring a Service Provider” to help plan sponsors and fiduciaries; “Cybersecurity Program Best Practices” to assist plan fiduciaries and recordkeepers; and, “Online Security Tips” for plan participants and beneficiaries checking accounts online.
The guidance also provides a list of publications from the Department of Health and Human Services that may help health plans, and their service providers, to maintain good cybersecurity practices.
Additional Resources
- Compliance Assistance Release No. 2024-01: https://www.dol.gov/agencies/ebsa/key-topics/retirement-benefits/cybersecurity/compliance-assistance-release-2024-01.
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices (https://www.dol.gov/agencies/ebsa/key-topics/retirement-benefits/cybersecurity/tips-for-hiring-a-service-provider-with-strong-security-practices).
- Cybersecurity Program Best Practices (https://www.dol.gov/agencies/ebsa/key-topics/retirement-benefits/cybersecurity/compliance-assistance-release-2024-01).
- Online Security Tips (https://www.dol.gov/agencies/ebsa/key-topics/retirement-benefits/cybersecurity/online-security-tips).
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.
- Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations.
- Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations.
For more information
We’re ready when you are. Get in touch and a friendly, knowledgeable Baldwin advisor is prepared to discuss your business or individual needs, ask a few questions to get the full picture, and make a plan to follow up.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.
The Baldwin Group offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through The Baldwin Group insurance licensed entities. This material is not an offer to sell insurance.
