READ TIME: 5 MINUTES
The Employee Benefits Security Administration (EBSA) and the Department of Labor (DOL) continue their efforts in both civil and criminal investigations of employee benefits plans focusing on plan sponsors’ fiduciary duties. Employers with health and welfare plans must remember that one fiduciary duty of particular interest is the obligation to manage cybersecurity risks to their employer-sponsored plans.
In April 2021, the DOL issued cybersecurity guidance – the first of its kind – for health and welfare plan sponsors. The DOL’s cybersecurity guidance was released in three parts:
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices, which provides guidance to plan fiduciaries in the hiring of service providers
- Cybersecurity Program Best Practices, which provides best practices for recordkeepers and other service providers
- Online Security Tips, which provides advice to plan participants and beneficiaries who check and manage their accounts online
While this guidance may not explicitly refer to employer-sponsored plans other than ERISA-governed retirement plans, plan fiduciaries should consider the tips and best practices for other employer-sponsored plans, to the extent applicable. This is particularly true for other plans governed by ERISA, such as health and welfare plans, because the same fiduciary responsibilities applicable to retirement plans would apply to health and welfare plans as well.
Since this initial guidance was issued, the DOL has begun an initiative to audit ERISA plans’ cybersecurity programs. When conducting these audits, the DOL has requested detailed documentation on all cybersecurity and information security programs relating to an employer’s health and welfare plan, including proof of cybersecurity training, reports of any past breaches, and documentation on service providers’ security programs.
Tips for Hiring a Service Provider
Sponsors of ERISA-sponsored plans are no strangers to hiring service providers to work with their health and plans and are familiar with the requirement to ensure a prudent process for the selection and monitoring of such service providers. This guidance now sweeps cybersecurity considerations into the topics of consideration when selecting service providers.
The DOL provides suggested questions to ask potential service providers to gauge a service provider’s cybersecurity practices. This includes asking the service provider about its information security standards, audit policies and results, how it validates its practices, what levels of security standards it has met and implemented, and past security breaches. The responses should be considered against other potential service providers, industry standards, and the service provider’s track record.
The DOL guidance also suggests careful attention to the service contract. Under this DOL guidance, the service contracts should, among other things:
- Require the service provider to obtain third-party audits on an annual
- Identify how quickly a service provider must inform plan fiduciaries of
- Specify the service provider’s obligation to meet applicable federal, state, and local laws regarding privacy, confidentiality, or security of participants’ personal information.
Cybersecurity Program Best Practices
The DOL has identified a 12-point best practice system for use by recordkeepers for plan-related IT systems and for use by plan fiduciaries in making prudent decisions regarding cybersecurity measures. In brief, the DOL recommends that plan fiduciaries:
- Have a formal, well-documented cybersecurity
- Create a prudent, annual risk assessment
- Engage a third-party annual audit of the security
- Clearly define and assign information security roles and
- Ensure strong access control
- Assess third-party service provider use of cloud
- Conduct annual cybersecurity awareness
- Implement a secure system development life cycle (SDLC)
- Implement a business resiliency program to address business continuity, disaster recovery, and incident
- Encrypt sensitive
- Implement strong technical controls to implement best security
- Be responsive to cybersecurity incidents or
Moving Forward with the DOL Guidance
Cybersecurity has been an increasing concern across the board as processes and platforms have increasingly moved to remote or electronic providers. Given this landscape of electronic services and the DOL’s recent guidance, plan fiduciaries should review and analyze their processes currently in place to address cybersecurity risks. Having a strong cybersecurity policy in place that follows the DOL guidelines will ensure plan fiduciaries are able to fulfill their obligations when it comes to cybersecurity concerns and prevent DOL penalties on audit.
This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.