New guidance from the Employee Benefits Security Administration (EBSA) affirms that both sides—retirement plans and welfare plans—must take steps to secure participant data from cybercrime.

In 2021 the Department of Labor (DOL) introduced new guidance on best practices for maintaining cybersecurity, which included tips to participants who check their retirement accounts online. From this, many plan sponsors and service providers concluded that the guidance was only applicable to retirement benefits (such as 401(k), profit sharing, and pension plans).

On September 6, 2024, the EBSA issued Compliance Assistance Release No. 2024-1, which makes clear that the cybersecurity guidance issued in 2021 is applicable to ALL types of ERISA plans—including health and welfare plans.

The EBSA estimates that there are 153 million participants in private sector ERISA governed plans, which includes 2.18 million health plans. That’s a lot of personal information being maintained in digital format. The federal regulations require that plan fiduciaries take appropriate steps to help mitigate the risks of loss from computer-related crimes.

The Compliance Assistance Release updates the 2021 guidance by specifically calling out health and welfare plans with the following:

• Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices to monitor their activities, as ERISA requires.
• Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers in mitigating risks.
• Online Security Tips: Offers plan participants who check their online retirement accounts with rules for reducing the risk of fraud and loss.

As a plan fiduciary, be sure to review the guidance and take any steps necessary to apply the best practices to your health and welfare plan data.