Employment Law Report
Department of Labor Clarifies Cybersecurity Guidance Applies To ALL ERISA Plans
By: Sherry Porter
The Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor has jurisdiction over the enforcement and interpretation of the Employee Retirement Income Security Act of 1974 (ERISA). ERISA governs most private employer sponsored employee benefit plans, like group health plans, retirement plans, etc. One issue that has been brewing is cybersecurity risks to all ERISA employee benefit plans – health and welfare plans and retirement plans alike.
EBSA issued cybersecurity guidance in 2021 to help plan sponsors and others who work with employee benefit plans safeguard plan data and assets. The guidance came in the form of three documents: Tips for Hiring a Service Provider with Strong Cybersecurity Practices | U.S. Department of Labor (dol.gov); Cybersecurity Program Best Practices | U.S. Department of Labor (dol.gov); and Online Security Tips | U.S. Department of Labor (dol.gov).
Apparently there has been some confusion in the employee benefits world as some plan service providers thought that this guidance only applied to retirement plans. However, the agency issued guidance that confirmed that the guidance applied to all ERISA employee benefit plans and not just retirement plans. Compliance Assistance Release No. 2024-01 | U.S. Department of Labor (dol.gov) I am surprised about this confusion because the same issues arise in both health/welfare plans and retirement plans when it comes to potential cybersecurity risks. But now it is clear – the cybersecurity guidance applies to ALL ERISA plans.
What does this mean to you if you sponsor an employee benefit plan for your employees? This means that you should review the guidance and ensure that your employee benefit plans (health and welfare plans as well as any retirement/pension plans) are in compliance with ERISA when it comes to cybersecurity protections. Failure to keep your plan safe can result in significant losses to your plan and plan participants as well as opening yourself up for potential ERISA violations. Talk to your legal counsel to ensure that your plans are up to speed on their cybersecurity policies and procedures. And if they are not, get on it before your plan gets hacked! Even if your plans are not covered by ERISA (governmental or church plans, for example), this guidance does provide some good information for making sure your plans are protected.