EBSA Releases Updated Cybersecurity Guidance for Employee Benefit Plans

Ann Poland| September 20th, 2024

Benefits+, Compliance

Through Compliance Assistance Release No. 2024-01, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) is confirming that the cybersecurity guidance it issued in April 2021 generally applies to all employee benefit plans, including health and welfare plans.

Background

In 2021, EBSA issued cybersecurity guidance to help plan sponsors, fiduciaries, service providers, and participants in employee benefit plans safeguard plan data, personal information and plan assets. However, in the years since, health and welfare plan service providers have told fiduciaries and EBSA investigators that this guidance only applies to retirement plans. Thus, it was recommended in 2022 that EBSA clarify that the guidance also applies to health benefit plans.

Updated Guidance

The Compliance Release clarifies that the cybersecurity guidance applies to all types of plans covered by the Employee Retirement Income Security Act of 1974 (ERISA), including health and welfare plans and all employee pension benefit plans. EBSA is providing the following updated guidance:

Tips for Hiring a Service Provider: This guidance helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as required by ERISA.
Cybersecurity Program Best Practices: This guidance assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.
Online Security Tips: This guidance offers plan participants and beneficiaries who check their retirement accounts or other employee benefit information online basic rules to reduce the risk of fraud and loss.

Additional Resources

The U.S. Department of Health and Human Services also offers publications that may help health plans and their service providers maintain good cybersecurity practices, as follows: