DOL Cybersecurity Guidance: What Employers Need to Know for their Health and Welfare Plans - Bim Group

DOL Cybersecurity Guidance: What Employers Need to Know for their Health and Welfare Plans


The Employee Benefits Security Administration (EBSA) and the Department of Labor (DOL) continue their efforts in both civil and criminal investigations of employee benefits plans focusing on plan sponsors’ fiduciary duties. Employers with health and welfare plans must remember that one fiduciary duty of particular interest is the obligation to manage cybersecurity risks to their employer-sponsored plans.

In April 2021, the DOL issued cybersecurity guidance – the first of its kind – for health and welfare plan sponsors. The DOL’s cybersecurity guidance was released in three parts:

  1. Tips for Hiring a Service Provider with Strong Cybersecurity Practices, which provides guidance to plan fiduciaries in the hiring of service providers
  2. Cybersecurity Program Best Practices, which provides best practices for recordkeepers and other service providers
  3. Online Security Tips, which provides advice to plan participants and beneficiaries who check and manage their accounts online

While this guidance may not explicitly refer to employer-sponsored plans other than ERISA-governed retirement plans, plan fiduciaries should consider the tips and best practices for other employer-sponsored plans, to the extent applicable. This is particularly true for other plans governed by ERISA, such as health and welfare plans, because the same fiduciary responsibilities applicable to retirement plans would apply to health and welfare plans as well.

Since this initial guidance was issued, the DOL has begun an initiative to audit ERISA plans’ cybersecurity programs. When conducting these audits, the DOL has requested detailed documentation on all cybersecurity and information security programs relating to an employer’s health and welfare plan, including proof of cybersecurity training, reports of any past breaches, and documentation on service providers’ security programs.


Tips for Hiring a Service Provider

Sponsors of ERISA-sponsored plans are no strangers to hiring service providers to work with their health and plans and are familiar with the requirement to ensure a prudent process for the selection and monitoring of such service providers. This guidance now sweeps cybersecurity considerations into the topics of consideration when selecting service providers.

The DOL provides suggested questions to ask potential service providers to gauge a service provider’s cybersecurity practices. This includes asking the service provider about its information security standards, audit policies and results, how it validates its practices, what levels of security standards it has met and implemented, and past security breaches. The responses should be considered against other potential service providers, industry standards, and the service provider’s track record.

The DOL guidance also suggests careful attention to the service contract. Under this DOL guidance, the service contracts should, among other things:

  • Require the service provider to obtain third-party audits on an annual
  • Identify how quickly a service provider must inform plan fiduciaries of
  • Specify the service provider’s obligation to meet applicable federal, state, and local laws regarding privacy, confidentiality, or security of participants’ personal information.


Cybersecurity Program Best Practices

The DOL has identified a 12-point best practice system for use by recordkeepers for plan-related IT systems and for use by plan fiduciaries in making prudent decisions regarding cybersecurity measures. In brief, the DOL recommends that plan fiduciaries:

  1. Have a formal, well-documented cybersecurity
  2. Create a prudent, annual risk assessment
  3. Engage a third-party annual audit of the security
  4. Clearly define and assign information security roles and
  5. Ensure strong access control
  6. Assess third-party service provider use of cloud
  7. Conduct annual cybersecurity awareness
  8. Implement a secure system development life cycle (SDLC)
  9. Implement a business resiliency program to address business continuity, disaster recovery, and incident
  10. Encrypt sensitive
  11. Implement strong technical controls to implement best security
  12. Be responsive to cybersecurity incidents or


Moving Forward with the DOL Guidance

Cybersecurity has been an increasing concern across the board as processes and platforms have increasingly moved to remote or electronic providers. Given this landscape of electronic services and the DOL’s recent guidance, plan fiduciaries should review and analyze their processes currently in place to address cybersecurity risks. Having a strong cybersecurity policy in place that follows the DOL guidelines will ensure plan fiduciaries are able to fulfill their obligations when it comes to cybersecurity concerns and prevent DOL penalties on audit.

This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.

Recent Insights

February 26, 2024
Compliance Alert, HHS

HHS Releases Updated Drug Data Collection Reporting Instructions in Advance of June 1, 2024, Deadline

Under Section 204 of the Consolidated Appropriations Act, 2021 (CAA), referred to as “The No Surprises Act” (NSA), all employer-sponsored health plans must satisfy certain transparency requirements by reporting annual prescription drug and health care spending data (often referred to as the Prescription Drug Data Collection (RxDC) report). The RxDC report is not only about […]
Read more
February 26, 2024
Compliance Alert

January 2024 Compliance Recap

READ TIME: 7 MINUTES January was a relatively quiet month on the employee benefits compliance front. The Wage and Hour Division of the Department of Labor (DOL) introduced a new rule laying out the guidelines employers can follow to determine how to classify workers. The DOL also released Part 64 of its FAQs about Affordable […]
Read more
January 31, 2024

2024 Employer-Sponsored Group Health Plans Compliance Calendar

Employers and HR departments are faced with many reporting and notification requirements for their employer-sponsored group health plans. Information must be provided to plan participants and applicable government agencies on time to ensure compliance with various federal laws. This compliance calendar outlines the requirements and due dates for: Form W-2 Form 5500 Forms 1094-B and […]
Read more
January 11, 2024

The Play-or-Pay Penalty and Counting Employees under the ACA

Since 2015, the Affordable Care Act (ACA) has required applicable large employers (ALEs) to offer their full-time employees health coverage or pay one of two shared responsibility penalties (ESRP or “play-or-pay”). An employer is an ALE if it employs 50 or more full-time or full-time equivalent employees. Final IRS regulations provide guidance to help employers […]
Read more