- On October 7, 2024
- ERISA
The federal Department of Labor (DOL) recently updated its cybersecurity guidance and confirmed it applies to all plans governed by the Employee Retirement Income Security Act (ERISA).
The new Compliance Assistance Release provides best practices in cybersecurity for employers who sponsor health and retirement plans, plan fiduciaries, recordkeepers, and plan participants. When the previous version of this document was released in 2021, many health plan service providers told employers who sponsor health plans for their employees that it only applied to group retirement plans. So, the DOL has made it very clear that this new document and its predecessor also apply to group health plans subject to ERISA.
The release updates EBSA’s 2021 guidance and includes the following information:
- Tips for Hiring a Service Provider: This guide helps plan sponsors and fiduciaries prudently select service providers (e.g., carriers, PBMs, COBRA administrators, etc.) with strong cybersecurity practices. It also provides guidance on how employers can monitor service provider activities, as ERISA requires.
- Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers (typically the employer) in mitigating cybersecurity risks.
- Online Security Tips: Offers plan participants who check their online accounts with rules for reducing the risk of fraud and loss.
Brokers should review the new guidance and ensure that all group health plan clients subject to ERISA are aware of their cybersecurity responsibilities. If you have any questions or need more information, please contact your ExpressLink representative.