The US Department of Labor (DOL) issued a press release on September 6, 2024 reminding ERISA plan fiduciaries that it considers cybersecurity to be an area of “great concern” and emphasizing that it continues to investigate potential cybersecurity-related ERISA violations. The press release accompanied guidance updating the DOL’s 2021 cybersecurity subregulatory guidance and, most significantly, clarifying that the 2024 updates apply to all types of ERISA plans, including health and welfare plans. In our view, this clarification now aligns the DOL’s cybersecurity guidance with the position it has taken in investigations and public statements.
By way of background, the DOL issued three pieces of subregulatory guidance in 2021 that were intended to address the intersection of cybersecurity and ERISA-covered plans.
Each piece of guidance was addressed to a different audience: (1) Online Security Tips was addressed to ERISA plan participants; (2) Tips for Hiring a Service Provider with Strong Cybersecurity Practices (Hiring Tips) was addressed to ERISA plan fiduciaries; and (3) Cybersecurity Program Best Practices (Best Practices) was addressed to ERISA plan vendors and fiduciaries selecting and monitoring such vendors.
The 2021 guidance was framed only in terms of retirement plans, but it could be read to cover all ERISA plans. We discussed the 2021 guidance at length here.
Outside of clarifying that the DOL’s cybersecurity guidance applies to all ERISA plans—retirement plans and health and welfare plans alike—the 2024 updates were limited:
- In the Online Security Tips, the 2024 update tweaked the frequency with which it recommends participants update their passwords (changing it from 120 days to annually), clarified that participants should not use common passwords (as opposed to stating that they should not use dictionary words), and suggested participants favor longer passwords instead of more frequent resets.
- In the Hiring Tips, the 2024 update clarified that ERISA plan fiduciaries should ensure that their vendors’ insurance coverage covers cybersecurity breaches and incidents involving the plan.
- In the Best Practices, the 2024 update indicated that ERISA plan vendors who follow these best practices should adopt certain multifactor authentication processes and should notify participants of unauthorized acquisition of their personal data without unreasonable delay.
Despite the limited scope of the 2024 updates, the takeaway is clear: the DOL continues to see cybersecurity as a top priority, and all ERISA plan fiduciaries (including those overseeing health and welfare plans) should be prepared for the DOL to investigate the steps taken to mitigate their plans’ cybersecurity risks.
In light of this clear message from the DOL, fiduciaries and service providers to ERISA plans (that have access to data and/or assets) may want to consider evaluating the plan’s cybersecurity regime, such as through a cybersecurity self-audit, adoption of a cybersecurity policy, or through other improvements to the cybersecurity and/or monitoring processes.
For group health plans, this can be done in conjunction with the self-audits that must be conducted to develop those policies and procedures required under the HIPAA Privacy and Security Rules. As discussed in more detail here, Final Rules issued under HIPAA earlier this year require group health plans to update their HIPAA privacy policies and procedures and provide associated workforce training by December 22, 2024.
[View source.]
