DOL Confirms Cybersecurity Guidance Application: Tips for retirement and health and welfare plan fiduciaries to stay vigilant

On Friday, September 6, 2024, the U.S. Department of Labor (DOL) confirmed that its 2021 cybersecurity guidance extends to all employee benefit plans, including health and welfare plans. This clarification, issued through a Compliance Assistance Release, underscores the importance of robust cybersecurity practices across all sectors of employee benefits, not just retirement plans. The retirement plan industry has already made significant strides in adopting these guidelines, and now the health and welfare plan sector must follow suit.

A History of Cybersecurity Guidance

In 2021, the DOL issued a set of best practices for cybersecurity aimed at plan sponsors, fiduciaries, recordkeepers, and plan participants within the retirement industry. These guidelines were designed to protect participants’ accounts and sensitive data in an increasingly digital world. As cyber threats have grown more sophisticated, the need for strong cybersecurity measures in employee benefit plans has become paramount.

Although the retirement industry quickly embraced the guidance, the DOL’s recent release clarifies that health and welfare plans – covering areas like medical benefits, disability insurance, and other non-retirement benefits – are equally at risk and must adopt similar protective measures.

Expanding Cybersecurity Protections to Health and Welfare Plans

The DOL’s extension of its cybersecurity guidance to health and welfare plans signals a growing recognition that all employee benefits are vulnerable to cyber threats. Health and welfare plans hold vast amounts of personal and sensitive data, making them an attractive target for cybercriminals. These plans often include personal health information (PHI), financial data, and other personally identifiable information (PII) of employees and their dependents.

With this new release, the DOL is urging the health and welfare plan industry to adopt the same level of vigilance as the retirement plan industry. The guidance emphasizes the need for fiduciaries and service providers to prioritize cybersecurity in all aspects of plan administration.

DOL’s Tips for Hiring a Service Provider

One of the critical aspects of the DOL’s cybersecurity guidance is its recommendations for hiring service providers. Fiduciaries of health and welfare plans are encouraged to ask the right questions and thoroughly vet service providers to ensure they meet robust cybersecurity standards. Among the key recommendations are:

  • Review Information Security Practices: Fiduciaries should ask service providers about their information security standards, practices, and audit results. This information should then be compared to industry standards adopted by financial or health institutions.
  • Validate Security Standards: Fiduciaries should inquire how service providers validate their cybersecurity practices and what specific security standards they have implemented. Contracts should include provisions granting the fiduciary the right to review audit results that demonstrate compliance with these standards.
  • Evaluate the Provider’s Track Record: It is critical to examine the service provider’s history in the industry, particularly regarding information security incidents, litigation, or legal proceedings related to cybersecurity breaches.
  • Assess Breach History and Response: Fiduciaries should ask whether the service provider has experienced past security breaches and how those breaches were handled. Understanding the response strategy can provide insight into the provider’s ability to handle potential threats in the future.
  • Insurance Coverage for Cybersecurity Threats: Fiduciaries should inquire about any insurance policies the service provider may have that cover losses caused by cybersecurity or identity theft breaches. This includes coverage for both internal threats (such as employee misconduct) and external threats (such as third-party attacks).
  • Contract Provisions to Ensure Compliance: Fiduciaries must ensure that service provider contracts include clauses that require ongoing compliance with cybersecurity standards. They should also avoid provisions that limit the provider’s liability for breaches. Contracts should, where possible, include terms that enhance cybersecurity protection for the plan and its participants.

Implications for Health and Welfare Plans

By confirming that the 2021 cybersecurity guidance applies to health and welfare plans, the DOL is ensuring a consistent and comprehensive approach to protecting participants’ data. Health and welfare plans are now expected to adopt similar best practices and hold their service providers accountable for maintaining high standards of cybersecurity.

The extension of these guidelines should prompt fiduciaries and service providers in the health and welfare space to evaluate their current cybersecurity practices and make necessary improvements. This could involve conducting security audits, updating contractual obligations with service providers, and investing in stronger cybersecurity measures to protect participant data from growing threats.

Looking Ahead

As cyber threats continue to evolve, it is crucial for both retirement and health and welfare plan fiduciaries to stay vigilant. The DOL’s confirmation of its cybersecurity guidance for all employee benefit plans highlights the need for ongoing education and proactive measures in securing sensitive information.

In this digital age, safeguarding employee benefit plans against cyber threats is not just a regulatory requirement – it’s a fiduciary responsibility. The DOL’s expanded guidance reinforces the importance of taking a proactive and comprehensive approach to cybersecurity to ensure that participants’ benefits are protected, no matter the type of plan.

With the DOL leading the charge, plan sponsors, fiduciaries, and service providers must work together to build a safer, more secure future for employee benefits.

Copyright © 2024 FMeX. All rights reserved.
Distributed by Financial Media Exchange.