By Jenny Kiffmeyer, J.D – The Retirement Learning Center
What is the Department of Labor’s (DOL’s) Employee Benefits Security Administration’s (EBSA’s) Cybersecurity Guidance Update?
Highlights of the Discussion
On September 6, 2024, the DOL issued the EBSA’s Compliance Assistance Release No. 2024-01, clarifying that the cybersecurity guidance it issued in April, 2021, applies to all employee benefit plans subject to the Employee Retirement Income Security Act of 1974 (ERISA), including both employee pension benefit plans, (e.g., tax-qualified defined contribution and defined benefit retirement plans), and health and welfare plans.
Background
By way of background, in February 2021, the U.S. Government Accountability Office (GAO) recommended that the DOL: (1) state whether cybersecurity for plans subject to ERISA is a plan fiduciary responsibility; and (2) provide guidance that “identifies minimum expectations” with respect mitigating cybersecurity risks in plans subject to ERISA. [1] In April, 2021, the DOL responded to the GAO’s second recommendation with the EBSA’s 2021 cybersecurity guidance discussed below. The 2021 cybersecurity guidance explicitly applied to employee pension benefit plans, e.g., tax-qualified retirement plans. The 2021 cybersecurity guidance is divided into three components, as discussed in our earlier Case of the Week.
2024 Update
The EBSA’s 2024 cybersecurity guidance clarifies that the three components discussed in its 2021 guidance also apply to health and welfare plans by explicitly stating that employers, plan sponsors, fiduciaries and plan participants of employee pension benefit plans and health and welfare plans should follow the guidance and maintain strong cybersecurity practices. In addition, the 2024 guidance references the following U.S. Department of Health and Human Services publications which are targeted to help health plans, and their service providers maintain good cybersecurity practices:
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
- Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations
- Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations
Implications
Given that ERISA benefit plans hold assets in the trillions of dollars and benefit millions of participants, it is critical that plan sponsors and other plan fiduciaries review the EBSA’s updated 2024 cybersecurity guidance. The EBSA’s updated cybersecurity guidance provides recommendations on how plan fiduciaries and service providers may assess and evaluate their plans’ cybersecurity policies and procedures and help safeguard plans from breaches and other cyberattacks.
As many plan sponsors of health and welfare plans are grappling with evolving privacy compliance issues triggered by HIPAA Reproductive Health Care Rules, the Mental Health Parity and Addiction Equity Act (MHPAEA), [1] FTC and Privacy of Substance Abuse Information under 42 CFR Part 2 Breach Reporting, Federal and State Privacy Laws, [2] the EBSA’s 2024 cybersecurity guidance underscores the importance of identifying and addressing privacy and cybersecurity risks to all employee benefit plans subject to ERISA, particularly the types of privacy risks inherent in health and welfare plans.
Is Cybersecurity a Plan Fiduciary Responsibility?
ERISA plan fiduciaries have certain responsibilities. Pursuant to ERISA Section 409(i), a breach of a fiduciary duty may result in personal liability to make the plan whole for losses resulting from the breach. At this point, caselaw is unsettled on the issue of whether cybersecurity risk management is a fiduciary duty under ERISA. There is an understanding, however, under DOL Regulation Section 2520.104b-1(c)(i)(B)and other pronouncements related to the electronic delivery of plan information that a plan sponsor must ensure the electronic system it uses keeps participants’ personal information relating to their accounts and benefits confidential. Plan sponsors that address cybersecurity risks with reference to the 2021 and 2024 EBSA guidance are better positioned to defend any potential claims brought under ERISA or even state or federal data breach laws.
DOL’s Cybersecurity Document Requests
As we discussed in an earlier Case of the Week, plans under DOL audit should be prepared to respond to the DOL’s extensive list of requested documentation supporting its cybersecurity policies, procedures and safeguards.
Conclusion
EBSA recently updated its cybersecurity guidance from 2021and clarified that its cybersecurity guidance applies to all plans subject to ERISA, including health and welfare plans. Plan advisors, employers, plan sponsors, and participants should be aware of the EBSA’s updated cybersecurity guidance for plans subject to ERISA. Prudent plan committees may also want to consider adding cybersecurity matters as a regular item to their meeting agendas moving forward, analogous to processes in place with respect to adopting, following, and monitoring the terms of investment policy statements and the like. Further, vendor selection processes may also need to be adapted accordingly.
[1] https://www.gao.gov/products/gao-21-25
[2] The EBSA’s 2021 cybersecurity best practices explicitly applied to retirement plans but the DOL subsequently added questions about health plan compliance during MHPAEA audits.
[3] HIPAA only preempts state law that is “contrary to” HIPAA privacy rules. “Contrary to” generally means “impossible to comply” with both or an “obstacle to the accomplishment” of HIPAA. HIPAA is a federal “floor”, meaning state law may be more protective, or stringent. At this point, several states have comprehensive health care privacy laws that are more stringent than HIPAA in some cases, e.g., Washington, Illinois, Connecticut, to name just a few.