The Department of Labor’s 2021 cybersecurity guidance that outlined best practices for ERISA plan fiduciaries, record keepers and participants to safeguard plan data, personal information and plan assets, also applies to ERISA health and welfare plans, the department clarified Sept. 6.
In the years since the department’s Employee Benefits Security Administration issued the guidance, health and welfare plan service providers have told fiduciaries and EBSA investigators that this guidance applies only to retirement plans, the department noted in a compliance release. The department’s ERISA Advisory Council recommended in 2022 that the EBSA clarify that the guidance also applies to health benefit plans.
“All ERISA covered-plans need to implement appropriate best practices to help protect participants and their beneficiaries from cybercrime and emerging threats,” said Lisa M. Gomez assistant secretary for employee benefits security, in a news release. “These updates remind plan sponsors and fiduciaries of the critical importance of safeguarding job-based benefits and personal information.”
The 2021 guidance has three distinct pieces, including tips for plan sponsors and fiduciaries on how to select a service provider with strong cybersecurity practices and how to monitor their activities; a list of 12 cybersecurity program best practices for plan sponsors and record keepers; and a set of online security tips for participants and beneficiaries when accessing a retirement account.