DOL Updates and Reinforces its Cybersecurity Guidance
On September 6, 2024, the U.S. Department of Labor (“DOL”) issued a News Release updating its cybersecurity guidance from 2021 and confirming the guidance applies to all ERISA plans, including, in particular, health and welfare benefit plans (as well as all retirement benefit plans).
As background, in 2021, the DOL issued cybersecurity guidance to help plan sponsors, fiduciaries, service providers, and participants safeguard plan data, personal information, and plan assets. Since then, DOL investigators have included cybersecurity-related questions and investigations in their audits of ERISA plans.
While the DOL’s cybersecurity guidance is not yet legally mandated, cybersecurity is unquestionably important in today’s data-driven world and is part of a plan fiduciary’s duty to act prudently to protect plan assets and participant data. For example, in the DOL’s News Release, Assistant Secretary for Employee Benefits Security Lisa Gomez stressed the importance of cyber-protections: “All ERISA covered-plans need to implement appropriate best practices to help protect participants and their beneficiaries from cybercrime and emerging threats. These updates remind plan sponsors and fiduciaries of the critical importance of safeguarding job-based benefits and personal information.”
The DOL’s updated guidance again includes Tips for Hiring a Service Provider with Strong Cybersecurity Practices, Cybersecurity Program Best Practices, and Online Security Tips for participants. But other than clarifying that the DOL’s 2021 guidance applies to all ERISA plans, the DOL’s 2024 guidance does not contain significant updates. For example, in the Hiring Tips, the 2024 update clarifies that fiduciaries should ensure their vendors’ insurance coverage covers cybersecurity breaches and incidents involving the plan.
Despite the limited scope of the 2024 updates, the guidance is worth revisiting given the clear takeaway: the DOL views cybersecurity as a top priority, and all ERISA plan fiduciaries should take steps to mitigate their plans’ cybersecurity risks. Fiduciaries should also expect to see questions related to their plans’ cybersecurity policies on audit.
With this in mind, we recommend that all ERISA plan sponsors review and update their cybersecurity policies and implement safeguards specific to the data and assets in their health and welfare and retirement plans.
Baird Holm has experts in the areas of technology and cyber-defense policies, cyber-breach incident response, legal-based risk management solutions, and fraud prevention. We encourage you to reach out with any questions about the DOL’s new guidance, or about cybersecurity in general.