DOL Clarifies Scope of Cybersecurity Guidance

Updated cybersecurity guidance from EBSA extends to all employee retirement benefit plans and health and welfare plans. 

The Department of Labor issued updated cybersecurity guidance on Friday for ERISA-covered employee retirement benefit plans and health and welfare plans. 

The department’s Employee Benefits Security Administration issued its new Compliance Assistance Release as plan sponsors, advisers, recordkeepers and participants face mounting cybersecurity threats. The release updates guidance last issued by the DOL in 2021, while emphasizing that the guidance applies to all plans covered by the Employee Retirement Income Security Act. 

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

In the compliance release, the DOL noted that since the 2021 guidance, “health and welfare plan service providers have told fiduciaries and EBSA investigators that this guidance only applies to retirement plans.” Lisa Gomez, assistant secretary of labor in charge of EBSA, reiterated that the guidance does, in fact, apply to all ERISA-covered plans in the announcement. 

“All ERISA-covered plans need to implement appropriate best practices to help protect participants and their beneficiaries from cybercrime and emerging threats,” she said in a statement. “These updates remind plan sponsors and fiduciaries of the critical importance of safeguarding job-based benefits and personal information.”  

The release updated best practice guidance in the areas of: 

  • Tips for plan sponsors and fiduciaries when hiring a service provider;  
  • Best practices to help mitigate cybersecurity risks; and 
  • Online security tips for plan participants when checking their retirement accounts. 

There have been numerous cybersecurity breaches involving employer-sponsored retirement plans that have revealed the Social Security numbers and other private information of participants. The most famous recent case was a breach at data transfer firm MOVEit, owned by Progress Software Corp., which included Pension Benefit Information LLC, a data vendor working with large recordkeepers and state-run pension systems. 

EBSA estimates that, as of June, ERISA covers 2.8 million health plans, 619,000 other welfare benefit plans and 765,000 private pension plans. Altogether, the plans cover 153 million workers, retirees and dependents with an estimated $14 trillion in assets.  

“The Employee Benefits Security Administration believes cybersecurity is a great concern for all employee benefit plans, and we continue to investigate potential ERISA violations related to the issue,” Gomez said. 

 The guidance is available here: Compliance Assistance Release No. 2024-01 | U.S. Department of Labor (dol.gov). 

 

«