The Department of Labor (DOL) has updated its 2021 package of guidance designed to help ERISA plan sponsors and service providers reduce cybersecurity risks.
The guidance applies to ERISA-covered health and welfare plans in addition to retirement plans. ERISA-covered health and welfare plans include medical, dental and vision plans as well as plans that provide life and accidental death and dismemberment insurance, long-term disability benefits, business travel insurance, certain employee assistance programs and wellness programs, most health flexible spending arrangements, health reimbursement arrangements and other benefit plans covered by ERISA.
As outlined in a recent news release, the latest Compliance Assistance Release continues to provide tips and best practices in cybersecurity for plan sponsors, plan fiduciaries, recordkeepers and plan participants, including:
- Tips for Hiring a Service Provider With Strong Cybersecurity Practices
- Cybersecurity Program Best Practices
- Online Security Tips
The DOL did not make many substantive changes to the 2021 guidance, although the latest guidance:
- Clarifies that it applies to health and welfare plans as well as retirement plans
- Recommends that when hiring service providers, plan sponsors and fiduciaries ensure their insurance covers cybersecurity breaches
- Provides examples of best practices related to using multi-factor authentication
- Recommends timely notifying participants of cybersecurity breaches
- Updates its password security tips (for example, avoid using common passwords and change passwords annually or when there is a security breach)
