Cybersecurity Compliance-Updated Guidance Issued By Department of Labor

In early September, the Department of Labor (“DOL”) put to rest any lingering doubts from health and welfare plans or their service providers regarding whether the DOL’s previous cybersecurity guidance was applicable to these plans.  Compliance Assistance Release No. 2024-01 clearly and distinctly advises that the cybersecurity guidance applies to all types of ERISA plans, including health and welfare plans and all employee pension benefit plans.

In addition, the DOL provided minor updates to the previous guidance that was issued in 2021.  For ERISA plan fiduciaries, the guidance is updated to note that ERISA plan fiduciaries should ensure that their service providers and/or vendors have sufficient insurance coverage for cybersecurity breaches and incidents involving the ERISA plans.  For ERISA service providers, the DOL recommends that they employ multifactor authentication processes and notify participants of unauthorized access or acquisition of personal data without unreasonable delay.

Overall, the DOL’s Compliance Assistance Release No. 2024-01 is a reminder that cybersecurity is a top priority for the DOL and, in light of the repercussions and disruptions to daily life that may result if a plan participant or beneficiary is affected by a cybersecurity breach, ERISA plan fiduciaries must remain vigilant with monitoring their service providers and vendors and be mindful of their duties to prudently select service providers or vendors that may be responsible for and manage sensitive plan or participant data.