The Department of Labor Reiterates Focus on Cybersecurity
The US Department of Labor (DOL) issued a press release on September 6, 2024, reminding ERISA plan fiduciaries that it considers cybersecurity to be an area of ‘great concern,’ emphasizing the DOL will continue to investigate potential cybersecurity-related ERISA violations. The press release accompanied guidance which updated the DOL’s 2021 cybersecurity guidance; most significantly, it clarified the 2024 updates apply to all types of ERISA plans, including health and welfare plans.
Background
The DOL issued three pieces of guidance in 2021 intended to address the intersection of cybersecurity and ERISA-covered plans. Each piece of guidance was addressed to a different audience:
- Online Security Tips was addressed to ERISA plan participants.
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices (Hiring Tips) was addressed to ERISA plan fiduciaries.
- Cybersecurity Program Best Practices (Best Practices) was addressed to ERISA plan vendors and fiduciaries selecting and monitoring such vendors.
The 2021 guidance was framed only in terms of retirement plans, but it could be read to cover all ERISA plans.
2024 Updates
Outside of clarifying that the DOL’s cybersecurity guidance applies to all ERISA plans – retirement plans and health and welfare plans alike – the 2024 updates were limited:
• In Online Security Tips, the 2024 update tweaked the frequency with which it recommends participants update their passwords (changing it from 120 days to annually), clarified participants should not use common passwords (as opposed to stating they should not use dictionary words), and suggested participants favor longer passwords instead of more frequent resets.
• In Hiring Tips, the 2024 update clarified ERISA plan fiduciaries should ensure their vendors’ insurance coverage covers cybersecurity breaches and incidents involving the plan.
• In Best Practices, the 2024 update indicated ERISA plan vendors who follow these best practices should adopt certain multifactor authentication processes, as well as notify participants of unauthorized acquisition of their personal data without unreasonable delay.
The Bottom Line
Despite the limited scope of the 2024 updates, the takeaway is clear: the DOL continues to see cybersecurity as a top priority, and all ERISA plan fiduciaries (including those overseeing health and welfare plans) should be prepared for the DOL to investigate the steps taken to mitigate their plans’ cybersecurity risks.
In light of this clear message from the DOL, fiduciaries and service providers to ERISA plans (that have access to data and or assets) may want to consider evaluating the plan’s cybersecurity regime, such as through a cybersecurity self-audit, adoption of a cybersecurity policy, or through other improvements to the cybersecurity and or monitoring processes.
For group health plans, this can be done in conjunction with the self-audits that must be conducted to develop those policies and procedures required under the HIPAA Privacy and Security Rules. Final Rules issued under HIPAA earlier this year require group health plans to update their HIPAA privacy policies and procedures and provide associated workforce training by December 22, 2024.
If you need assistance with such process improvements, or have any questions about the impact of this guidance or fiduciary oversight of cybersecurity risk, please contact the Shepherd Financial team.
Essential Cybersecurity Practices
In an age where digital threats are just a click away, understanding how to protect yourself online isn’t just advisable – it’s essential. This guide is your first step toward mastering the essentials of cybersecurity, providing you with the knowledge to shield your personal and financial data from the evolving dangers of the digital world.
The Foundations of Cyber Safety
Embarking on a journey towards comprehensive cyber safety starts with mastering a few fundamental practices. By adopting the four simple steps outlined below, you can significantly enhance your digital security. These measures are designed to fortify your identity and sensitive data against the myriad threats that lurk online. Each step serves as a pivotal building block in constructing a robust defense for your personal and professional digital environments.
Multifactor Authentication (MFA)
Also known as Two Factor Authentication, Two Step Factor Authentication, MFA, or 2FA, they all refer to the same concept: choosing to add an additional verification step when trusted websites and applications require confirmation that you are indeed the person you claim to be when logging into their system. MFA adds a critical layer of security by requiring two forms of identification before access is granted. This method significantly reduces the risk of unauthorized access, even if a password is compromised, because the likelihood that an attacker also has the secondary authentication factor is minimal.
Regular Software Updates
Keeping software up to date is not just about accessing new features but primarily about securing devices from vulnerabilities that hackers exploit. Updates often include patches for security flaws that, if left unaddressed, could allow hackers easy access to your system. We recommend taking it one step further by enabling automatic updates on your operating systems, which will ensure you’re protected as soon as these fixes are available.
Think Before You Click
Over 90% of successful cyberattacks start with a phishing email. These deceptive messages are designed to look legitimate to trick you into giving away sensitive information or downloading malware. Always inspect emails for unusual language or out-of-place requests and verify the authenticity of the message through other communication channels if possible.
Use Strong Passwords
A strong password acts as the first line of defense against unauthorized access. Use long, unique, and randomly generated passwords for different accounts to prevent cross-site breaches. Password managers such as LastPass or 1Password can help manage the complexity of storing and remembering different passwords, enhancing your overall security posture while maintaining convenience.
Vigilance Against Phishing Attacks
Phishing attacks remain one of the most common and pernicious threats in cybersecurity. These attacks often involve fraudsters masquerading as reputable entities to deceive individuals into providing sensitive data.
Identifying Phishing Attempts
Phishing emails or messages often contain suspicious links, urgent requests for information, and slight inconsistencies in email addresses, links, or formatting. Being aware of the possible threat, along with recognizing the signs is crucial in avoiding phishing.
Preventative Measures
Handle unexpected requests for personal information with skepticism. If you receive such a request, do not respond immediately. Instead, verify the sender by contacting the organization through official channels, such as their verified contact number or email address found on their official website.
Education and Training
Educate yourself about the latest phishing tactics through online resources, safety courses, or webinars. Staying updated on new phishing strategies and learning practical tips can enhance your ability to protect your personal data.
Use of Technology
Employ reliable email filtering tools that can screen out suspicious emails. These filters can significantly reduce the number of phishing attempts that reach your inbox, adding an essential layer of security.
By proactively enhancing your knowledge, understanding the basics, and implementing these strategies, you can significantly lower your risk of falling victim to cyber attacks.