Author | Bonnie Treichel
In September 2024, the Department of Labor (DOL) issued “new” guidance for plan sponsors, plan fiduciaries, recordkeepers, and plan participants on best practices for maintaining cybersecurity, including tips on how to protect the retirement benefits of America’s workers. The key elements of the DOL guidance will help plan sponsors with actionable steps to enhance their cybersecurity practices. Though the new guidance did not include significant changes, it is a good reminder of what should be included in a robust cybersecurity program.
Here’s What You Really Need to Know:
- The primary purpose of the DOL’s Compliance Assistance Release No. 2024-01 (the 2024 Release) is making sure that the cybersecurity guidance issued in April 2021 generally applies to all employee benefit plans, including health and welfare plans. Previously, the guidance was understood to only apply to retirement plans regulated by the Employee Retirement Income Security Act (ERISA). The new broad applicability underscores the importance of cybersecurity across all types of employee benefit plans.
- The 2024 Release largely mirrors the 2021 guidance. The 2024 Release does, however, include additional resources from the Department of Health and Human Services. It also offers publications that may help health plans, and their service providers, maintain good cybersecurity practices.
- In recent months, the DOL has increased their attention to cybersecurity practices as part of their plan audits.
Let’s Dive In…
ERISA requires a fiduciary to carry out its obligations to the plan with care, skill, prudence, and diligence – acting as an expert and not a layperson. For many years, there was no formal guidance for plan fiduciaries related to cybersecurity. In 2021, the DOL issued guidance for plan sponsors, fiduciaries, and participants to safeguard retirement benefits and personal information. Per the DOL in the 2021 guidance, the duty of care was extended to cybersecurity practices; plan fiduciaries must now act prudently and in the interest of plan participants and beneficiaries by taking appropriate precautions to mitigate cybersecurity risks. Failure to implement minimum cybersecurity practices by plan sponsors is a basis for breach of fiduciary duty.
Immediately following the 2021 guidance, the DOL commenced investigations related to cybersecurity and now includes cybersecurity questions regularly as a part of their document request letters. Typical questions and document requests range from very broad requests – such as “all documents” reflecting the plan’s cybersecurity program – to very specific requests including documents (e-mails, minutes, etc.) that discuss any efforts to consider, address, develop, implement, or negotiate cybersecurity problems, procedures, or protections (see below for sample requests).
2024 Release
The “new” guidance from the 2024 Release is largely a restatement of that provided in 2021. It’s not so much “guidance” in the typical sense from the DOL, but rather a set of best practices. The same as the 2021 guidance, the 2024 Release falls into the following major categories:
- Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
- Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers in their responsibilities to manage cybersecurity risks.
- Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts or other employee benefit plan information online basic rules to reduce the risk of fraud and loss.
Each of the categories above contains specific components to help guide plan sponsors on how to take appropriate measures to follow the DOL guidance. For example, “Cybersecurity Program Best Practices” includes a 12-part checklist to use as a reference.
The 2024 Release has an expanded emphasis on applicability to health and welfare programs, which are also subject to ERISA. In doing so, the DOL included additional resources from the Department of Health and Human Services:
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
- Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations
- Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations
Reasonable Application of the 2024 Release
While the 2024 Release reminds fiduciaries of their obligations regarding cybersecurity, the guidance remains somewhat vague. For example, the guidance says that a provider service “contract should identify how quickly you would be notified of any cyber incident or data breach. In addition, the contract should ensure the service provider’s cooperation to investigate and reasonably address the cause of the breach.” The 2024 Release (similar to the 2021 guidance) does not include a standard (or range of standards) that would be deemed appropriate. For plan sponsors and their associated service providers, principles of reasonableness should continue to be employed. Plan sponsors should consider the data at hand and protect it accordingly. For example, a plan sponsor is prudently selecting and monitoring a recordkeeper and a financial advisor. If the recordkeeper is provided with extensive personally identifiable information (PII) because that is required to perform the services, but the financial advisor is only provided with nominal information and not given social security numbers, then different security measures would be required for those two service providers. Utilizing prudence and a reasonableness standard, the financial advisor would not have access to the same kind of PII as the recordkeeper so the application of the DOL’s 2024 Release would be different for the two service providers.
While it may seem vague, the 2024 Release does provide a strong list of questions that a prudent ERISA fiduciary should be asking itself and its service providers; this can be incorporated into the annual fiduciary compliance program for the plan. Plan sponsors should note that it is important to document the steps they are taking to comply with the DOL’s 2024 Release. Maintaining proper documentation is a best practice in scenarios where there is ambiguity in the standards outlined by the DOL. With proper documentation, the DOL will see that there is a reasonable process established. This extends to circumstances where a service provider, for example, is not able to provide everything that is requested in a contract. At a minimum, the plan sponsor can demonstrate the request was made.
Action Items for Plan Sponsors
Cybersecurity is a big topic, which is why it is important to evaluate your cybersecurity program. Though there is a lot for plan sponsors to know and do, here are a few steps to follow:
- Read and review the 2024 Release.
- Share the updated guidance in the 2024 Release with the plan committee(s) – both retirement and healthcare.
- Identify all service providers the plan shares data with and ask your current service providers to respond to the questions posed by the 2024 Release.
- Discuss and consider your service providers’ responses as part of your prudent evaluation of the providers the plan engages. Make updates, as appropriate, based on service provider responses.
- Consider including those best practices as a component of any request for proposal (RFP) undertaken.
- Consistently document each of the actions that you are taking.
