On Friday, September 6, 2024, the U.S. Department of Labor confirmed that its cybersecurity guidance applies to all employee benefit plans, including health and welfare plans. In 2021, the DOL issued guidance providing best practices in cybersecurity for plan sponsors, plan fiduciaries, recordkeepers, and plan participants. The retirement plan industry took notice and has generally made great efforts to improve cybersecurity practices and protect participants’ accounts and data. The new DOL Compliance Assistance Release issued last Friday clarifies that the health and welfare plan industry should also follow the prior guidance.

Included among the DOL’s guidance are “Tips for Hiring a Service Provider,” which suggest that fiduciaries hiring benefit plan service providers should:

1. Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial/health institutions.
2. Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
3. Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services.
4. Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
5. Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account).
6. When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware contract provisions that limit the service provider’s responsibility for IT security breaches. Also, try to include terms in the contract that would enhance cybersecurity protection for the Plan and its participants.