DOL cyber guidance applies to ERISA health and welfare plans 

It’s widely known that the healthcare sector is a frequent target of cyberattacks. Just to pick a few examples from federal agencies, the FBI reported that the healthcare sector led all others in ransomware complaints in 2023, and HHS recently announced a 264% increase since 2018 in large breaches involving ransomware. So it is perhaps unsurprising that the DOL recently confirmed that its 2021 cybersecurity guidance applies to all types of ERISA plans, including health and welfare plans, and not just to retirement plans.

DOL’s cybersecurity guidance

The guidance makes specific recommendations for both plan fiduciaries and service providers.

Tips for fiduciaries contracting with service providers. The DOL states that ERISA requires plan fiduciaries to prudently select service providers with strong cybersecurity practices and monitor providers’ activities. To help fiduciaries fulfill these duties, DOL has published a tip sheet urging plan sponsors and fiduciaries to ask for a host of information about a service provider’s cybersecurity program, such as details about the provider’s cybersecurity practices, its track record and any past breaches. Fiduciaries should find out if the service provider has insurance policies that would cover cybersecurity and identity theft breaches (whether caused by internal threats like employee misconduct or external bad actors).

DOL also recommends making sure that vendor contracts require ongoing compliance with cybersecurity and information security standards and include terms that enhance protection for the plan and its participants. Examples include specific terms detailing the service provider’s obligations to protect personally identifiable information, requiring the provider to obtain third party audits of its practices and ensuring the plan’s right to review the audit results. Consider requiring the service provider to obtain insurance coverage and avoid contract provisions limiting the provider’s responsibility for IT security breaches.

Cybersecurity best practices. DOL identifies 12 cybersecurity best practices for recordkeepers and other service providers responsible for plan-related IT systems and data. The best practices are practical in nature, addressing topics such as ensuring the safety of information stored in a cloud, encrypting sensitive data (both in storage and transit), and conducting periodic cybersecurity awareness training for employees. The best practices also include items DOL recommends that plan fiduciaries request when hiring service providers, such as a formal written cybersecurity program and annual third-party audits. Plan fiduciaries should look for a service provider’s adherence to these best practices to demonstrate prudent hiring decisions.

Next steps for health and welfare plan fiduciaries

• Review cybersecurity measures for all ERISA-covered plans. Plan fiduciaries should continue to focus on their health plan’s cyber hygiene, but also review the cybersecurity measures of other welfare plans, such as accident, disability, life and on-site clinics that aren’t subject to HIPAA but may face similar cyber risk. For example, a recent class action raises cybersecurity allegations against a life insurance carrier after a ransomware attack on its service provider.
• Use the DOL’s guidance to ensure prudent selection of service providers with strong cybersecurity practices.
• Use the DOL’s guidance to monitor the cybersecurity practices of all ERISA plan service providers. For example, make sure to request and review audits on a periodic basis. Consider asking all existing ERISA health and welfare plan service providers for details on their cybersecurity practices, past breaches and insurance policies.
• Negotiate for service contract terms consistent with the guidance.
• While not required, consider sharing the DOL’s tips for plan participants with members.

Lastly, plan sponsors and fiduciaries should watch for DOL audit or enforcement activity. The DOL’s press release quotes the Assistant Secretary for Employee Benefits Security as stating that “cybersecurity is a great concern for all employee benefit plans and we continue to investigate potential ERISA violations related to the issue.”