Skip to main content
What can we help you find?
main content, press tab to continue
Article | Insider

DOL updates cybersecurity guidance

By Stephen Douglas , William “Bill” Kalten , Benjamin Lupin and Laura Roos | October 4, 2024

The DOL’s updated guidance for ERISA plan sponsors offers pointers for hiring a service provider, cybersecurity program best practices and online security tips.
Subscribe
|Health and Benefits|Retirement|Benefits Administration and Outsourcing Solutions
N/A

The Department of Labor (DOL) has updated its 2021 package of guidance designed to help ERISA plan sponsors and service providers reduce cybersecurity risks.

The guidance applies to ERISA-covered health and welfare plans in addition to retirement plans. ERISA-covered health and welfare plans include medical, dental and vision plans as well as plans that provide life and accidental death and dismemberment insurance, long-term disability benefits, business travel insurance, certain employee assistance programs and wellness programs, most health flexible spending arrangements, health reimbursement arrangements and other benefit plans covered by ERISA.

As outlined in a recent news release, the latest  Compliance Assistance Release  continues to provide tips and best practices in cybersecurity for plan sponsors, plan fiduciaries, recordkeepers and plan participants, including:

The DOL did not make many substantive changes to the 2021 guidance, although the latest guidance:

  • Clarifies that it applies to health and welfare plans as well as retirement plans
  • Recommends that when hiring service providers, plan sponsors and fiduciaries ensure their insurance covers cybersecurity breaches
  • Provides examples of best practices related to using multi-factor authentication
  • Recommends timely notifying participants of cybersecurity breaches
  • Updates its password security tips (for example, avoid using common passwords and change passwords annually or when there is a security breach)

This guidance is “sub-regulatory,” meaning the DOL generally may not treat a party’s noncompliance with it as a violation of law but, rather, must still prove that a violation of an applicable legal standard has occurred. [1]

Footnotes

  1. For more information on the 2021 guidance for retirement plan sponsors and fiduciaries, see “DOL begins cybersecurity audit initiative,” Insider, July 2021. Return to article

Authors

Stephen Douglas
Senior Director, Retirement and Executive Compensation
email Email phone +1 203 326 6315
William “Bill” Kalten
Senior Director, Retirement and Executive Compensation
email Email phone +1 203 326 4625
Benjamin Lupin
Senior Regulatory Advisor, Health and Benefits
email Email phone +1 215 316 8311
Laura Roos
Senior Director
email Email phone +1 617 638 3891
Related content tags, list of links Article Insider Cyber Risk Management Health and Benefits Retirement Benefits Administration and Outsourcing Solutions

Related solutions

Retirement
Health and Benefits
Benefits Administration and Outsourcing Solutions
Contact us