The U.S. Department of Labor has updated its cybersecurity guidance to strengthen protections for workers’ retirement and health benefits. This updated guidance applies to all plans governed by the Employee Retirement Income Security Act (ERISA), including health and welfare plans, as well as employee retirement benefit plans. The new Compliance Assistance Release from the department’s Employee Benefits Security Administration (EBSA) provides essential best practices for plan sponsors, fiduciaries, recordkeepers, and participants to ensure that personal information and assets are safeguarded against emerging cyber threats.
One key update in the guidance is the emphasis on selecting service providers with strong cybersecurity practices. It provides tips for plan sponsors and fiduciaries on how to prudently choose service providers and monitor their cybersecurity activities, as required by ERISA. The release also outlines best practices for cybersecurity programs to help plan fiduciaries and recordkeepers mitigate risks associated with data breaches and fraud. This is particularly critical given the sensitive nature of the information that is handled by retirement and health benefit plans.
For plan participants, the updated guidance includes tips on securing their online retirement accounts to reduce the risk of fraud and financial loss. The Department of Labor emphasizes that all ERISA-covered plans must implement appropriate cybersecurity measures to protect both participants and beneficiaries. With millions of workers, retirees, and their dependents involved in these plans, ensuring cybersecurity is vital to maintaining the integrity of the systems that manage retirement savings and health benefits.
As of June 2024, the EBSA estimates that ERISA governs around 2.8 million health plans, 619,000 welfare benefit plans, and 765,000 private pension plans, covering over 153 million individuals with an estimated $14 trillion in assets. The Department of Labor’s updated guidance highlights the growing need for comprehensive cybersecurity protections as these plans hold vast amounts of sensitive information. The updated rules complement existing regulations on electronic records and disclosures, ensuring that electronic record-keeping systems are secure and that participants’ Personally Identifiable Information (PII) is adequately protected from cyber threats.
Reference:
