The U.S. Department of Labor (DOL) has recently updated its guidance on cybersecurity best practices for employee benefits plans. This update is outlined in Compliance Assistance Release No. 2024-01, which revises the initial 2021 documents originally focused on pension plans. The updated guidance now includes health and welfare plans, expanding the scope to address a broader range of employee benefit programs. While the core recommendations remain consistent, the revisions provide additional clarity and detail to enhance cybersecurity measures across all types of benefits plans.
One significant update involves the guidelines for hiring service providers with strong cybersecurity practices. The new language advises that parties negotiating contracts with service providers should specifically confirm that applicable insurance policies cover cyber breaches and incidents involving the plan. This addition aims to ensure that plans are protected against potential financial losses resulting from cybersecurity incidents involving third-party vendors.
Another notable change is in the cybersecurity program best practices. The revised guidance includes more detailed recommendations on multi-factor authentication (MFA). It now suggests deploying phishing-resistant MFA where possible, implementing MFA on internet-facing systems, and requiring MFA for accessing network areas with sensitive information. Additionally, there is a new emphasis on promptly notifying participants if their personal data is subject to unauthorized acquisition, ensuring that breaches are communicated without unreasonable delay.
Finally, the updates include revised online security tips for participants and beneficiaries. The new guidance recommends using longer passwords or passphrases and resetting them less frequently, at least on an annual basis. This change reflects a growing recognition of the importance of robust password practices in safeguarding personal information. Overall, these updates underscore the DOL’s ongoing commitment to enhancing cybersecurity measures for all employee benefits plans and mitigating potential risks in the digital landscape.