WASHINGTON – In its ongoing effort to protect U.S. workers’ retirement and health benefits, the U.S. Department of Labor has updated its cybersecurity guidance to apply to all types of plans governed by the Employee Retirement Income Security Act (ERISA), including health and welfare plans, as well as employee retirement benefit plans.
The new Compliance Assistance Release from the department’s Employee Benefits Security Administration (EBSA) provides best practices in cybersecurity for plan sponsors, fiduciaries, recordkeepers, and participants. This release updates EBSA’s 2021 guidance and includes:
- Tips for Hiring a Service Provider: Assists plan sponsors and fiduciaries in prudently selecting a service provider with strong cybersecurity practices and monitoring their activities, as required by ERISA.
- Cybersecurity Program Best Practices: Helps plan fiduciaries and recordkeepers mitigate risks.
- Online Security Tips: Offers rules for plan participants who check their online retirement accounts to reduce the risk of fraud and loss.
“Today’s Compliance Assistance Release provides an important clarification for plan sponsors and fiduciaries, confirming that our guidance on cybersecurity applies to all plans covered by the Employee Retirement Income Security Act,” explained Assistant Secretary for Employee Benefits Security Lisa M. Gomez. “All ERISA-covered plans need to implement appropriate best practices to help protect participants and their beneficiaries from cybercrime and emerging threats. These updates remind plan sponsors and fiduciaries of the critical importance of safeguarding job-based benefits and personal information.”
As of June 2024, EBSA estimates that ERISA covers 2.8 million health plans, 619,000 other welfare benefit plans, and 765,000 private pension plans in America. These plans include 153 million workers, retirees, and dependents who participate in private sector pension and welfare plans with $14 trillion in estimated assets. Without sufficient protections, digital participant information may be vulnerable to internal and external risks of computer-related crimes and losses. Federal regulations require plan fiduciaries to take appropriate precautions to mitigate these risks.
“The Employee Benefits Security Administration believes cybersecurity is a great concern for all employee benefit plans, and we continue to investigate potential ERISA violations related to the issue,” Gomez added.
The guidance complements EBSA’s regulations on electronic records and disclosures to plan participants and beneficiaries. These include provisions ensuring that electronic recordkeeping systems have reasonable controls, adequate records management practices are in place, and that electronic disclosure systems include measures calculated to protect Personally Identifiable Information.
