Skip to content
Baldwin Bulletin

Updated Cybersecurity Guidance for Employee Benefit Plans

The Baldwin Group
|
Updated: November 12, 2024
|
2 minute read

In Compliance Assistance Release No. 2024-01, the U.S. Department of Labor’s Employee Benefits Security Administration (“EBSA”) confirmed that the cybersecurity guidance it issued in April 2021 generally applies to all employee benefit plans, including health and welfare plans.

 Employer Action Items

  • Employers should use service providers that follow strong cybersecurity practices.
  • Plan sponsors of all ERISA plans should use the six tips set out in the specific “Tips for Hiring a Service Provider”, including asking specific questions about their security standards and practices and policies as well as paying attention to specific contract terms and determining whether the service provider has adequate insurance to cover any losses.
  • Employers should continue to monitor their service providers with periodic cybersecurity check-ins.
  • Employers should review the “Cybersecurity Program Best Practices” for use by recordkeepers and other service providers for plan-related IT systems and data.
  • Employers should consider sharing the “Online Security Tips” with their employees, including those with online benefit accounts.

Summary

In 2021, EBSA issued cybersecurity guidance to assist plan sponsors, fiduciaries, service providers, and participants in employee benefit plans to safeguard plan data, personal information, and plan assets.  However, the EBSA stated that in the years since, health and welfare plan service providers have told fiduciaries and EBSA investigators that this guidance only applies to retirement plans. The Department of Labor’s ERISA Advisory Council recommended to the EBSA that they should clarify that the guidance also applies to health benefit plans. Accordingly, the EBSA issued recent compliance assistance, clarifying that the 2021 guidance also applies to health and welfare benefit plans.

The updated guidance includes “Tips for Hiring a Service Provider” to help plan sponsors and fiduciaries; “Cybersecurity Program Best Practices” to assist plan fiduciaries and recordkeepers; and, “Online Security Tips” for plan participants and beneficiaries checking accounts online. 

The guidance also provides a list of publications from the Department of Health and Human Services that may help health plans, and their service providers, to maintain good cybersecurity practices.

Additional Resources


Related Insights

Stay in the know

Our experts monitor your industry and global events to provide meaningful insights and help break down what you need to know, potential impacts, and how you should respond.

Baldwin Bulletin
Upcoming Compliance Deadlines - May 2025
Employers must comply with numerous reporting and disclosure requirements in connection with their group health plans.  Please note the following...
Baldwin Bulletin
Exploring Adoption Assistance Programs
May 1, 2025 Caitlin Hillenbrand, Associate Director, Benefits Compliance An increasing number of companies are integrating adoption assistance benefits into...
Baldwin Bulletin
Revised Simplified Determination Method for 2026 Medicare Part D Creditable Coverage
May 1, 2025 Paul Van Brunt, Associate Director, Benefits Compliance Recently, the Centers for Medicare & Medicaid Services (“CMS”) finalized...
Baldwin Bulletin
Americans with Disability Act Compliance Scaled Back
May 1, 2025 Paul Van Brunt, Associate Director, Benefits Compliance The U.S. Department of Justice (“DOJ”) recently scaled back available...
Baldwin Bulletin
Trump Administration Takes Aggressive Steps Toward Prohibiting Gender-affirming Care for Children and Adults
May 1, 2025 Jason Sheffield, National Director, Benefits Compliance Introduction On January 20, 2025, newly elected President Trump signed an...
Let's make it possible

Partner with us to build solutions that align with your business, individual, or employee needs and open new possibilities for your future.

Connect with us