Skip to content
Baldwin Bulletin

Updated Cybersecurity Guidance for Employee Benefit Plans

The Baldwin Group
|
Updated: November 12, 2024
|
2 minute read

In Compliance Assistance Release No. 2024-01, the U.S. Department of Labor’s Employee Benefits Security Administration (“EBSA”) confirmed that the cybersecurity guidance it issued in April 2021 generally applies to all employee benefit plans, including health and welfare plans.

 Employer Action Items

  • Employers should use service providers that follow strong cybersecurity practices.
  • Plan sponsors of all ERISA plans should use the six tips set out in the specific “Tips for Hiring a Service Provider”, including asking specific questions about their security standards and practices and policies as well as paying attention to specific contract terms and determining whether the service provider has adequate insurance to cover any losses.
  • Employers should continue to monitor their service providers with periodic cybersecurity check-ins.
  • Employers should review the “Cybersecurity Program Best Practices” for use by recordkeepers and other service providers for plan-related IT systems and data.
  • Employers should consider sharing the “Online Security Tips” with their employees, including those with online benefit accounts.

Summary

In 2021, EBSA issued cybersecurity guidance to assist plan sponsors, fiduciaries, service providers, and participants in employee benefit plans to safeguard plan data, personal information, and plan assets.  However, the EBSA stated that in the years since, health and welfare plan service providers have told fiduciaries and EBSA investigators that this guidance only applies to retirement plans. The Department of Labor’s ERISA Advisory Council recommended to the EBSA that they should clarify that the guidance also applies to health benefit plans. Accordingly, the EBSA issued recent compliance assistance, clarifying that the 2021 guidance also applies to health and welfare benefit plans.

The updated guidance includes “Tips for Hiring a Service Provider” to help plan sponsors and fiduciaries; “Cybersecurity Program Best Practices” to assist plan fiduciaries and recordkeepers; and, “Online Security Tips” for plan participants and beneficiaries checking accounts online. 

The guidance also provides a list of publications from the Department of Health and Human Services that may help health plans, and their service providers, to maintain good cybersecurity practices.

Additional Resources


Related Insights

Stay in the know

Our experts monitor your industry and global events to provide meaningful insights and help break down what you need to know, potential impacts, and how you should respond.

Baldwin Bulletin
Upcoming Compliance Deadlines August 2025
Employers must comply with numerous reporting and disclosure requirements in connection with their group health plans. Please note the following upcoming...
Baldwin Bulletin
The ACA In Mergers in Acquisitions – Part I
August 2025Jason Sheffield, National Director of Compliance Identifying and Mitigating ACA-related Liabilities Arising in Connection with Corporate Transactional Activities Introduction...
Baldwin Bulletin
IRS Announces 2026 Affordable Care Act Pay-or-Play Penalties 
August 2025  Stephanie Hall, Associate Director, Benefits Compliance  On July 22, 2025, the Internal Revenue Service (“IRS”) announced the updated...
Baldwin Bulletin
Navigating “Mini-COBRA” or “COBRA-like” (state continuation of coverage) Requirements: A New Era for ERISA Compliance 
August 2025  Deanna Sizemore, Associate Director, Benefits Compliance  For employer plan sponsors, understanding and complying with various benefit laws is...
Baldwin Bulletin
Navigating Medicare Part D: 2026 Creditable Coverage Changes & Disclosure Essentials for Employers 
August 2025Deanna Sizemore, Associate Director, Benefits Compliance Summary  As we look forward to 2026, employer-sponsored health plans face new considerations...
Let's make it possible

Partner with us to build solutions that align with your business, individual, or employee needs and open new possibilities for your future.

Connect with us