On September 6, 2024, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) released an update to the agency’s 2021 cybersecurity guidance for plan sponsors and fiduciaries, recordkeepers, and plan participants. The update clarifies that the guidance applies to all ERISA-covered plans, including health and welfare plans and employee retirement plans.

The update covers the following guidance:

• “Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.”
• “Cybersecurity Program Best Practices: Assists plan fiduciaries and recordkeepers in mitigating risks.”
• “Online Security Tips: Offers plan participants who check their online retirement accounts with rules for reducing the risk of fraud and loss.”

“The guidance complements EBSA’s regulations on electronic records and disclosures to plan participants and beneficiaries. These include provisions on ensuring that electronic recordkeeping systems have reasonable controls, adequate records management practices are in place and that electronic disclosure systems include measures calculated to protect Personally Identifiable Information.”

The update also lists the following publications from the U.S. Department of Health and Human Services (HHS) to help health plans and their service providers maintain sound cybersecurity practices:

• “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients”
• “Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations”
• “Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations”

Plan sponsors are encouraged to review and implement the updated guidance to ensure that all their ERISA-covered plans are protected.

Please contact your Milliman consultant with any questions.