Compliance FYI: Cybersecurity for Employers Sponsoring ERISA Plans

Compliance

As employers increasingly rely on electronic systems for health and welfare plan administration and recordkeeping, the risk that bad actors will attempt to access and use that electronic information for malicious purposes is also increasing. Employers, as plan sponsors, are responsible for ensuring the safekeeping of their plan’s electronic information.   

This is particularly important for employers that sponsor a health and welfare plan subject to the Employee Retirement Income Security Act (ERISA). As fiduciaries, sponsors of ERISA plans are responsible for ensuring the safekeeping of the electronic data they maintain and for ensuring any service providers they work with have robust cybersecurity measures in place. 

ERISA plan sponsors should familiarize themselves with the three pieces of guidance the Department of Labor (DOL) has made available for plan sponsors regarding their obligations to ensure the security of their employee benefits plan. While many of these documents refer to retirement plans, the DOL confirmed the guidance also extends to health and welfare plans.

Tips for Hiring a Service Provider offers plan sponsors a list of suggested questions to ask potential service providers when assessing their cybersecurity practices and suggestions on how to properly monitor the cybersecurity practices of a service provider.

Cybersecurity Program Best Practices provides a list of twelve best practices that a plan sponsor should take into consideration when making the decision whether to hire a service provider. Plan sponsors should also consider the extent to which their own cybersecurity practices conform with the DOL indicated best practices.

Online Security Tips provides ERISA plan participants with several important considerations to keep in mind when setting up any account to access/review their ERISA covered benefits. While these considerations are geared towards plan participants, a plan sponsor may want to consider the extent to which their own practices and the practices of their service providers are set up to help plan participants follow the security tips laid out by the DOL.

Next Steps for Plan Sponors

ERISA plan sponsors should consider the above publications when setting up their cybersecurity practices for their health and welfare plan. It may require plan sponsors to reassess their own internal cybersecurity practices and implement or alter processes to meet DOL guidelines. Plan sponsors may also need to inquire about the cybersecurity practices of their service providers to ensure they are also meeting DOL guidelines.