Citing resistance from health and welfare plan service providers, the DOL updated its 2021 cybersecurity guidance to clarify that it “generally applies to all employee benefit plans, including health and welfare plans.” This clarification is the only material change in the update. Despite that, the update serves as a useful impetus for employers to survey their current cybersecurity practices with respect to their benefit plans. Why? Security breaches are becoming more common, larger in scope, and resulting in larger liability (How many breach notifications have you received this year? I’m at four). In its report on 2023 breaches, ITRC, a non-profit that tracks publicly available data breach information, noted that (1) the number of breaches is up 72% from 2021 (the previous high); and (2) the breaches victimized more than 353 million people.

  1. Refresh Memory of the Guidance. Some employers may not have thought about the DOL’s cybersecurity guidance since it was released in 2021. As a refresher, the guidance consists of three different component documents, each targeted at a different audience. The first provides security tips to participants (e.g., use strong passwords). The second provides tips to an employer for vetting a potential service provider’s cybersecurity practices during an RFP process (e.g., verify service provider has cybersecurity insurance and examine its history of breaches). The third provides best practices for service providers to use as part of their cybersecurity programs. All three components are available here.
  2. Identify Ways to Incorporate Participant Tips. There is no specific disclosure requirement in the guidance as to when or how to provide the security tips to participants, but the guidance implies a fiduciary obligation to share the information with participants. A simple way to communicate the tips is to add them to other benefit plan participant communications, like summary plan descriptions or enrollment materials. The tips can also be added to a company’s intranet site dedicated to benefits or a service provider’s participant portal.  
  3. Evaluate Current RFP Practices. For companies that have standard, internal processes for conducting an RFP, evaluate what cybersecurity factors already exist (for example, the company’s InfoSec team may already have standard cybersecurity requests for RFP respondents). Then, compare such processes against the DOL guidance and determine if additional measures should be added. If a company relies on a consultant to administer an RFP process, it should require that the consultant to account for the DOL guidance as part of the process. If a company creates an ad hoc process whenever going to market for a service provider, it should identify a way to remind itself about the DOL guidance each time so the guidance is addressed as part of preparing the RFP.
  4. Secure Contractual Commitments. While an employer does not have direct control over a service provider’s cybersecurity program, it can address the DOL’s cybersecurity best practices guidance in its services agreement with the service provider. When negotiating the services agreement, consider the DOL best practices when determining what cybersecurity obligations to impose on the service provider. Likewise, obtain a requirement for the service provider to have appropriate levels of cybersecurity insurance and to indemnify the company for any cybersecurity incident, including costs incurred to protect participants affected by the breach.