In 2021, the U.S. Department of Labor (DOL) issued 3 documents outlining guidance on cybersecurity practices for benefits plans, which we discussed in a blog post at the time. The DOL recently issued revised versions of the original three documents in its Compliance Assistance Release No. 2024-01. The revised versions of these documents clarify that they apply not just to pension plans, but to health and welfare plans as well. While the revised documents largely remain consistent with their initial versions, there were a few tweaks. In summary:
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices: Language was added advising that the negotiating party confirm specifically that applicable insurance policies would cover cyber breaches and incidents involving the plan.
- Cybersecurity Program Best Practices: Additional detail was included on multi-factor authentication (MFA), including advising plans to deploy phishing-resistant Multi-Factor Authentication (MFA) if possible, implement MFA on internet-facing systems, and require MFA to access network areas with sensitive information. Moreover, a bullet was added encouraging notification of participants without unreasonable delay if their personal data is the subject of unauthorized acquisition.
- Online Security Tips for Participants and Beneficiaries: Recommendations with respect to passwords or passphrases have been revised, including to encourage longer password or passphrases that may be reset less frequently (at least annually).
Proskauer Perspective
Cyber security concerns related to employee benefits plans continue to be a significant area of concern, and it is important that plan fiduciaries evaluate potential vulnerabilities and take steps to mitigate risk. This includes reviewing and improving upon the systems and practices of the plan sponsor and administrator as well as diligently monitoring the systems and practices of any plan vendors.
[View source.]
