The Department of Labor Reiterates Focus on Cybersecurity
The US Department of Labor (DOL) issued a press release on September 6, 2024, reminding ERISA plan fiduciaries that it considers cybersecurity to be an area of ‘great concern,’ emphasizing the DOL will continue to investigate potential cybersecurity-related ERISA violations. The press release accompanied guidance which updated the DOL’s 2021 cybersecurity guidance; most significantly, it clarified the 2024 updates apply to all types of ERISA plans, including health and welfare plans.
Background
The DOL issued three pieces of guidance in 2021 intended to address the intersection of cybersecurity and ERISA-covered plans. Each piece of guidance was addressed to a different audience:
- Online Security Tips was addressed to ERISA plan participants.
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices (Hiring Tips) was addressed to ERISA plan fiduciaries.
- Cybersecurity Program Best Practices (Best Practices) was addressed to ERISA plan vendors and fiduciaries selecting and monitoring such vendors.
The 2021 guidance was framed only in terms of retirement plans, but it could be read to cover all ERISA plans.
2024 Updates
Outside of clarifying that the DOL’s cybersecurity guidance applies to all ERISA plans – retirement plans and health and welfare plans alike – the 2024 updates were limited:
• In Online Security Tips, the 2024 update tweaked the frequency with which it recommends participants update their passwords (changing it from 120 days to annually), clarified participants should not use common passwords (as opposed to stating they should not use dictionary words), and suggested participants favor longer passwords instead of more frequent resets.
• In Hiring Tips, the 2024 update clarified ERISA plan fiduciaries should ensure their vendors’ insurance coverage covers cybersecurity breaches and incidents involving the plan.
• In Best Practices, the 2024 update indicated ERISA plan vendors who follow these best practices should adopt certain multifactor authentication processes, as well as notify participants of unauthorized acquisition of their personal data without unreasonable delay.
The Bottom Line
Despite the limited scope of the 2024 updates, the takeaway is clear: the DOL continues to see cybersecurity as a top priority, and all ERISA plan fiduciaries (including those overseeing health and welfare plans) should be prepared for the DOL to investigate the steps taken to mitigate their plans’ cybersecurity risks.
In light of this clear message from the DOL, fiduciaries and service providers to ERISA plans (that have access to data and or assets) may want to consider evaluating the plan’s cybersecurity regime, such as through a cybersecurity self-audit, adoption of a cybersecurity policy, or through other improvements to the cybersecurity and or monitoring processes.
For group health plans, this can be done in conjunction with the self-audits that must be conducted to develop those policies and procedures required under the HIPAA Privacy and Security Rules. Final Rules issued under HIPAA earlier this year require group health plans to update their HIPAA privacy policies and procedures and provide associated workforce training by December 22, 2024.
If you need assistance with such process improvements, or have any questions about the impact of this guidance or fiduciary oversight of cybersecurity risk, please contact the Shepherd Financial team.