September 11, 2024
On December 7, 2024, the DOL issued Compliance Assistance Release No. 2024-01, which provides updated cybersecurity guidance for employee benefit plans. The DOL also clarified that the cybersecurity guidance applies to all employee benefit plans, including retirement plans and health and welfare plans.
In recent years, the DOL has increasingly focused on cybersecurity measures for ERISA plans. Release No. 2024-01 enhances the DOL’s 2021 cybersecurity guidance and is intended to help plan sponsors, fiduciaries, service providers, and participants safeguard plan data, personal information, and plan assets. The latest updates are reflected in three publications, which address service provider selection, cybersecurity program best practices, and online security tips.
The first publication, “Tips for Hiring a Service Provider,” helps plan sponsors and other fiduciaries prudently select service providers with strong cybersecurity practices and monitor their activities. Among other tips, the DOL advises fiduciaries to ask about the service provider's information security standards, practices and policies, and audit results, and compare these to the industry standards adopted by other financial or health institutions. Fiduciaries should also verify if the service provider maintains insurance to cover losses caused by cybersecurity and identity theft breaches. When contracting with service providers, fiduciaries should seek terms that provide cybersecurity protections for the plan and participants (e.g., regarding the use and sharing of confidential information) and require compliance with applicable privacy and security laws.
The second publication, “Cybersecurity Program Best Practices,” focuses on assisting plan fiduciaries in their responsibilities to manage cybersecurity risks by hiring service providers that follow certain best practices. These practices include having a formal, well-documented cybersecurity program, conducting prudent annual risk assessments, and having a reliable annual third-party audit of security controls. Additionally, sensitive data should be encrypted, whether stored or in transit, and periodic cybersecurity awareness training should be conducted.
Finally, the “Online Security Tips” publication is directed at plan participants and beneficiaries who check their retirement accounts or other employee benefit plan information online and is designed to reduce their risk of fraud and loss. The tips advise participants to routinely monitor their online accounts, create strong and unique passwords, and use multifactor authentication, which requires a second credential to verify identity (e.g., entering a code sent in real-time by text message or email).
Plan sponsors and fiduciaries should clearly recognize their fiduciary obligations with respect to the protection of plan and participant confidential data from cybersecurity threats. They should carefully review and incorporate the DOL’s updated and practical cybersecurity guidance into their policies and procedures for selecting, contracting with, and monitoring service providers. Additionally, sponsors should educate participants regarding measures they can take to protect their own retirement account or other employee benefit plan data and inform participants about the availability of the DOL Online Security Tips.
DOL Compliance Assistance Release No. 2024-01
PPI Benefit Solutions does not provide legal or tax advice. Compliance, regulatory and related content is for general informational purposes and is not guaranteed to be accurate or complete. You should consult an attorney or tax professional regarding the application or potential implications of laws, regulations or policies to your specific circumstances.
Sign up to have it delivered straight to your inbox.
Sign up