Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

DOL Updates Cybersecurity Guidance to Confirm It Applies to All Employee Benefit Plans

By Rachel Loscheider & Edward I. Leeds on October 1, 2024
Email this postTweet this postLike this postShare this post on LinkedIn

Summary

The U.S. Department of Labor (DOL) updated its 2021 cybersecurity guidance to clarify that it applies to all employee benefit plans. The DOL guidance confirms that plan fiduciaries, including health and welfare plan fiduciaries, have an obligation to evaluate the cybersecurity procedures of plan record-keepers and other service providers.

Link to The Bottom Line The Bottom Line

While the updates to the DOL’s cybersecurity guidance were limited, they suggest that the DOL views cybersecurity as a top priority, making it more likely that the DOL will target data privacy and security issues when auditing and investigating health and welfare plans, as it already has with retirement plans.

Attorneys in Ballard Spahr’s Employee Benefits and Executive Compensation Group and Privacy and Data Security Group can help employers, plan fiduciaries, and plan service providers navigate the DOL’s cybersecurity guidance.

In 2021, the U.S. Department of Labor (DOL) issued cybersecurity guidance to advise plan sponsors, fiduciaries, service providers, and participants on ways to safeguard plan data, personal information, and plan assets. Since then, DOL investigators have included cybersecurity-related questions and investigations in their audits of Employee Retirement Income Security Act of 1974 (ERISA) plans. However, because the guidance is aimed mostly at retirement plans, it left the impression that its terms did not extend to health and welfare plans. In response to this confusion, the DOL recently published Compliance Assistance Release No. 2024-01, which clarifies that the 2021 guidance applies to all employee benefit plans, including health and welfare plans.

As a reminder, the 2021 guidance consists of three parts:

  • Tips for Hiring Service Providers. This provides practical guidance to plan sponsors and fiduciaries who are selecting and negotiating contractual terms with plan service providers.
  • Cybersecurity Program Best Practices. This guidance confirms that responsible plan fiduciaries have an obligation under ERISA to ensure the proper mitigation of cybersecurity risks. It identifies best practices for service providers responsible for plan-related IT systems and data. Such best practices track the National Institute of Standards and Technology (NIST) cybersecurity framework as well as FTC and other regulatory guidance and guide plan fiduciaries in making prudent decisions regarding the hiring and retention of plan service providers.
  • Online Security Tips. This guidance is directed to plan participants, and consists of best practices to help ensure the security of participants’ online data.

Please refer to our 2021 Client Alert for additional details regarding the DOL’s 2021 cybersecurity guidance.

  • Posted in:
    Employment & Labor
  • Blog:
    Health Care Reform Dashboard
  • Organization:
    Ballard Spahr LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo