DOL Confirms Cybersecurity Guidance Applies to All Employee Benefit Plans

The U.S. Department of Labor’s (“DOL”) Employee Benefits Security Administration (“EBSA”) clarified in Compliance Assistance Release No. 2024-01 that its 2021 cybersecurity guidance extends to all ERISA-covered health and welfare plans. This guidance, which goes beyond HIPAA requirements for health plans, includes updated sections on “Tips for Hiring a Service Provider,” “Cybersecurity Program Best Practices,” and “Online Security Tips” to reflect this expanded application.

Overview

In April 2021, the EBSA released cybersecurity guidance for benefit plan fiduciaries and service providers, outlining best practices for cybersecurity management. Acknowledging ERISA’s mandate for fiduciaries to implement protective measures against cyber risks, the guidance was presented in three parts aimed at plan sponsors, fiduciaries, record keepers, and participants.

Initially, there was some confusion about whether the guidance applied exclusively to retirement plans. However, the latest update from EBSA clarifies that its cybersecurity guidelines also cover ERISA-governed health and welfare plans.

Cybercrime poses a significant and growing threat to employer-sponsored benefit plans, particularly those handling sensitive health and personal information. While HIPAA regulations provide a robust framework for protecting health information, other ERISA-covered welfare benefits, such as life insurance, disability, and accident coverage, are not explicitly protected by HIPAA.

EBSA Guidance

To address this gap, the EBSA has issued cybersecurity guidance for ERISA-covered plans. This guidance emphasizes the importance of safeguarding sensitive information, including personally identifiable information (“PII”) and protected health information (“PHI”).

Both HIPAA-compliant and non-HIPAA-covered plans can benefit from the EBSA’s guidance. While HIPAA-compliant plans may already have many of the necessary security measures in place, all ERISA-covered plans should review and enhance their cybersecurity practices.

The EBSA’s guidance provides three key resources to aid plan fiduciaries and service providers in implementing effective cybersecurity measures. These resources offer practical recommendations tailored to the specific needs of different plans, considering factors such as size, complexity, and the volume of data involved.

Selecting a Service Provider Guidance

Employers and plan sponsors often rely on service providers to manage records, protect participant data, and secure accounts. The EBSA issued Tips for Hiring a Service Provider to help sponsors meet their ERISA duties in selecting and monitoring these providers. The EBSA recommends that plan fiduciaries:

1. Inquire about the service provider’s security standards, practices, policies, and audit results, comparing them to industry standards. Seek providers that follow recognized security frameworks and undergo third-party audits, with annual reports verifying data security, availability, integrity, and confidentiality.
2. Ask the service provider how it verifies its practices and what security standards it has achieved. Ensure the contract includes provisions allowing you to review audit results confirming compliance.
3. Assess the service provider’s industry track record, including publicly available information on security incidents, litigation, and legal actions related to its services.
4. Inquire if the service provider has had any previous security breaches, what occurred, and how they addressed the situation.
5. Determine if the service provider holds insurance policies that cover losses from cybersecurity and identity theft breaches, including those from internal threats, like employee misconduct, as well as external threats, such as third-party account hijacking.
6. When entering into a contract with a service provider, ensure it mandates ongoing compliance with cybersecurity and information security standards. Be cautious of clauses that limit the provider’s liability for IT security breaches. Additionally, aim to incorporate terms that strengthen cybersecurity protections for the plan and its participants.

Fiduciaries of pension, health and welfare benefit plans should keep these recommendations in mind for all service providers—not only insurers, third-party administrators (TPAs), or pharmacy benefit managers (“PBMs”), but also consultants, wellness vendors, data analysts, trustees, and others.

Cybersecurity Program Best Practices Guidance

The EBSA’s second guidance, Cybersecurity Program Best Practices, provides twelve best practices for recordkeepers and service providers managing plan-related IT systems and data, as well as for plan fiduciaries making informed decisions about service provider selection. The EBSA recommends that service providers:

1. Establish a formal, well-documented cybersecurity program.
2. Perform thorough annual risk assessments.
3. Conduct reliable annual third-party audits of security controls.
4. Clearly define and assign roles and responsibilities related to information security.
5. Implement robust access control procedures.
6. Ensure that any data or assets stored in the cloud or managed by third-party providers undergo appropriate security reviews and independent assessments.
7. Provide regular cybersecurity awareness training.
8. Manage a secure system development life cycle (SDLC) program.
9. Maintain an effective business resiliency program for continuity, disaster recovery, and incident response.
10. Encrypt sensitive data, both at rest and in transit.
11. Implement strong technical controls based on best security practices.
12. Address any previous cybersecurity incidents appropriately.

Online Security Tips Guidance

The EBSA’s Online Security Tips Guidance offers essential tips to help reduce the risk of fraud and losses related to retirement accounts. Key best practices include regularly monitoring online accounts, using strong and unique passwords, enabling multi-factor authentication, keeping personal contact information up to date, closing unused accounts, avoiding public Wi-Fi, and being cautious of phishing attacks. Additionally, the guidance covers the importance of using antivirus software, reporting identity theft and cybersecurity incidents, and other strategies to safeguard digital accounts and personal information.

The EBSA recommends the following to reduce the risk of fraud and loss to retirement accounts:

1. Register and monitor your online account
   • Set up online access to manage and safeguard your retirement account.
   • Regularly check your account to detect fraudulent access.
   • Not registering may allow cybercriminals to assume your identity.
2. Use strong and unique passwords
   • Avoid dictionary words; use a mix of upper and lower case letters, numbers, and special characters.
   • Avoid sequences like “abc” or “123”.
   • Aim for at least 14 characters, and don’t write passwords down.
   • Consider a secure password manager.
   • Change passwords every 120 days or after a breach, and never share or reuse them.
3. Enable multi-factor authentication (MFA)
   • MFA adds an extra layer of security, requiring a second credential (like a code sent via text or email).
4. Keep personal contact information updated
   • Update your contact details to ensure you can be reached in case of issues.
   • Provide multiple communication options.
5. Close or delete unused accounts
   • Reduce your online presence by closing accounts you no longer use.
   • Sign up for account activity notifications to monitor changes.
6. Be cautious with free Wi-Fi
   • Public Wi-Fi networks pose security risks; consider using your cellphone or home network instead.
7. Watch out for phishing attacks
   • Be wary of messages tricking you into revealing personal information.
   • Look for signs of phishing, such as unexpected messages, spelling errors, mismatched links, or urgent requests for personal data.
8. Use antivirus software and keep your systems updated
   • Install reputable antivirus software and keep it updated to protect against malware.
   • Regularly update all software to ensure you have the latest security patches.

Conclusion

As cyber threats continue to evolve and pose significant risks to health, welfare, and pension plans, it is crucial for employers and plan sponsors to prioritize cybersecurity. By implementing best practices for selecting and monitoring service providers, maintaining robust security measures, and fostering a culture of cybersecurity awareness, organizations can better protect their assets and sensitive participant information. Individual vigilance in managing online accounts is essential to mitigate risks associated with cybercrime. By taking proactive steps to strengthen cybersecurity, both employers and participants can contribute to a safer, more secure environment for managing retirement and welfare benefits.