DOL Cybersecurity Guidance: What Employers Need to Know for their Health and Welfare Plans - Bim Group

DOL Cybersecurity Guidance: What Employers Need to Know for their Health and Welfare Plans

Cybersecurity

Share this post:

Linkedin

READ TIME: 5 MINUTES

The Employee Benefits Security Administration (EBSA) and the Department of Labor (DOL) continue their efforts in both civil and criminal investigations of employee benefits plans focusing on plan sponsors’ fiduciary duties. Employers with health and welfare plans must remember that one fiduciary duty of particular interest is the obligation to manage cybersecurity risks to their employer-sponsored plans.

In April 2021, the DOL issued cybersecurity guidance – the first of its kind – for health and welfare plan sponsors. The DOL’s cybersecurity guidance was released in three parts:

  1. Tips for Hiring a Service Provider with Strong Cybersecurity Practices, which provides guidance to plan fiduciaries in the hiring of service providers
  2. Cybersecurity Program Best Practices, which provides best practices for recordkeepers and other service providers
  3. Online Security Tips, which provides advice to plan participants and beneficiaries who check and manage their accounts online

While this guidance may not explicitly refer to employer-sponsored plans other than ERISA-governed retirement plans, plan fiduciaries should consider the tips and best practices for other employer-sponsored plans, to the extent applicable. This is particularly true for other plans governed by ERISA, such as health and welfare plans, because the same fiduciary responsibilities applicable to retirement plans would apply to health and welfare plans as well.

Since this initial guidance was issued, the DOL has begun an initiative to audit ERISA plans’ cybersecurity programs. When conducting these audits, the DOL has requested detailed documentation on all cybersecurity and information security programs relating to an employer’s health and welfare plan, including proof of cybersecurity training, reports of any past breaches, and documentation on service providers’ security programs.

 

Tips for Hiring a Service Provider

Sponsors of ERISA-sponsored plans are no strangers to hiring service providers to work with their health and plans and are familiar with the requirement to ensure a prudent process for the selection and monitoring of such service providers. This guidance now sweeps cybersecurity considerations into the topics of consideration when selecting service providers.

The DOL provides suggested questions to ask potential service providers to gauge a service provider’s cybersecurity practices. This includes asking the service provider about its information security standards, audit policies and results, how it validates its practices, what levels of security standards it has met and implemented, and past security breaches. The responses should be considered against other potential service providers, industry standards, and the service provider’s track record.

The DOL guidance also suggests careful attention to the service contract. Under this DOL guidance, the service contracts should, among other things:

  • Require the service provider to obtain third-party audits on an annual
  • Identify how quickly a service provider must inform plan fiduciaries of
  • Specify the service provider’s obligation to meet applicable federal, state, and local laws regarding privacy, confidentiality, or security of participants’ personal information.

 

Cybersecurity Program Best Practices

The DOL has identified a 12-point best practice system for use by recordkeepers for plan-related IT systems and for use by plan fiduciaries in making prudent decisions regarding cybersecurity measures. In brief, the DOL recommends that plan fiduciaries:

  1. Have a formal, well-documented cybersecurity
  2. Create a prudent, annual risk assessment
  3. Engage a third-party annual audit of the security
  4. Clearly define and assign information security roles and
  5. Ensure strong access control
  6. Assess third-party service provider use of cloud
  7. Conduct annual cybersecurity awareness
  8. Implement a secure system development life cycle (SDLC)
  9. Implement a business resiliency program to address business continuity, disaster recovery, and incident
  10. Encrypt sensitive
  11. Implement strong technical controls to implement best security
  12. Be responsive to cybersecurity incidents or

 

Moving Forward with the DOL Guidance

Cybersecurity has been an increasing concern across the board as processes and platforms have increasingly moved to remote or electronic providers. Given this landscape of electronic services and the DOL’s recent guidance, plan fiduciaries should review and analyze their processes currently in place to address cybersecurity risks. Having a strong cybersecurity policy in place that follows the DOL guidelines will ensure plan fiduciaries are able to fulfill their obligations when it comes to cybersecurity concerns and prevent DOL penalties on audit.

This information has been prepared for UBA by Fisher & Phillips LLP. It is general information and provided for educational purposes only. It is not intended to provide legal advice. You should not act on this information without consulting legal counsel or other knowledgeable advisors.

Recent Insights

April 22, 2024
News

Do You Know Where Your Employees Are? Managing Taxes for a Growing Remote Workforce

READ TIME: 5 MINUTES Remote work remains a growing focus of employers with employees increasingly seeking jobs that permit remote or hybrid work arrangements. Though the flexibility and benefits of remote work for employees is highly desired, it comes with some additional considerations and potential tax complications for the employer. State Income Tax Withholding Considerations […]
Read more
April 22, 2024
COBRA, Compliance Alert

Group Health Plan Guide to COBRA

The Consolidated Omnibus Budget Reconciliation Act (COBRA) gives workers and their families who lose their health benefits due to job loss, reduction in hours, death, divorce, and other life events the right to choose to temporarily continue health benefits provided by their group health plan. This guide includes: Employers required to offer COBRA Plan types […]
Read more
April 8, 2024
HIPAA

Timely Responses Required for Requests under HIPAA’s Right of Access Rule

READ TIME: 4 MINUTES On December 15, 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), announced a settlement under the Health Insurance Portability & Accountability Act (HIPAA) Right of Access Rule. This penalty illustrates that the Right of Access Rule remains a focus of HHS and that health […]
Read more
April 8, 2024
Compliance Alert

March 2024 Compliance Recap

READ TIME: 7 MINUTES ACA reporting is in its first year of the required electronic reporting for employers filing ten or more returns annually. Employers and employees must make changes to HSAs by the April 15 deadline. Employers of all sizes continued to prepare for the June 1 RxDC Reporting using the newly released instructions. […]
Read more