Through Compliance Assistance Release No. 2024-01, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) is confirming that the cybersecurity guidance it issued in April 2021 generally applies to all employee benefit plans, including health and welfare plans.
ERISA Fiduciary Obligations
Background
In 2021, EBSA issued cybersecurity guidance to help plan sponsors, fiduciaries, service providers, and participants in employee benefit plans safeguard plan data, personal information and plan assets. However, in the years since, health and welfare plan service providers have told fiduciaries and EBSA investigators that this guidance only applies to retirement plans. Thus, it was recommended in 2022 that EBSA clarify that the guidance also applies to health benefit plans.
Updated Guidance
- Tips for Hiring a Service Provider: This guidance helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as required by ERISA.
- Cybersecurity Program Best Practices: This guidance assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.
- Online Security Tips: This guidance offers plan participants and beneficiaries who check their retirement accounts or other employee benefit information online basic rules to reduce the risk of fraud and loss.
Additional Resources
This article is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2024 Zywave, Inc. All rights reserved.
