Skip to content

Cybersecurity for Employee Benefit Plans: Updated EBSA Guidance

September 19, 2024

In updated guidance, the Employee Benefits Security Administration (EBSA) subdivision of the U.S. Department of Labor (DOL) confirmed that their 2021 guidance on cybersecurity applies to all ERISA-covered employee benefit plans, including health and welfare plans. Plan fiduciaries, third-party service providers, and plan sponsors should take steps to ensure cybersecurity practices meet regulatory requirements for all employee benefit plans.

Employee benefit plans are targets for cybercriminals because of the large amounts of sensitive data they require. As new threats become increasingly complex and continue to emerge, fiduciaries can work to better protect participant data and mitigate their own losses by establishing adequate compliance now.

Here are the key highlights from the updated guidance:

Cybersecurity Program Best Practices

Plan fiduciaries and recordkeepers should carefully review and assess which of the guidance’s best practices, outlined below, have been implemented and what should be implemented to efficiently and effectively mitigate cybersecurity risks.

  • Maintain a well-documented cybersecurity program that identifies, assesses, and responds to cybersecurity threats. Include written policies regarding appropriate disclosures, notification requirements, and issue correction.
  • Perform regular and comprehensive risk assessments and correct identified risks and gaps.
  • Have a third-party contractor conduct an independent annual audit of security controls and implement corrections to any identified weaknesses.
  • Have clearly defined information security roles and responsibilities at all appropriate levels for your business, including at the executive level, where a cybersecurity program can be overseen.
  • Implement strong access control procedures. This includes using multi-factor authentication (MFA), limitation of access based on need, and monitoring access activity.
  • Conduct updated cybersecurity awareness training for all personnel at least annually.
  • Implement a secure system development life cycle program (SDLC) to ensure that new systems are developed with cybersecurity concerns in mind.
  • Implement a resiliency program to enable your business to adapt quickly to maintain operations and isolate issues in the event of a disruption.
  • Ensure standards for data encryption and technical controls are being met.

Service Provider Suggestions

Plan sponsors and fiduciaries should carefully assess service providers’ cybersecurity practices.

  • Evaluate and compare the service provider’s information security standards and policies and ensure that their level of security has been backed by audit reports and risk assessments.
  • Evaluate the service provider’s track record, including public information on security breaches, litigation, and legal proceedings.
  • Ask whether the service provider has applicable insurance coverage.
  • Ask how the service provider has responded to potential and actual security breaches in the past, including their current incident response plan.
  • Ensure that your contract requires ongoing compliance and has sufficient detail to create a reasonable expectation of compliance.

The updated guidance also includes several suggestions for participants as individuals, including a reminder to plan sponsors that the same suggestions apply to their benefit plans. In light of this updated guidance, plan fiduciaries, service providers, and plan sponsors should evaluate and refresh their cybersecurity policies to ensure compliance for all employee benefit plans. Cybersecurity practices for employee benefit plans should also be part of a more comprehensive business-wide program.

For any questions regarding the new guidance or to learn more about how it can impact your organization or business, please contact a member of Varnum’s Employee Benefits or Data Privacy and Cybersecurity teams. Our attorneys are prepared to help you navigate the evolving regulatory landscape and ensure your systems and policies are in compliance.

Law Clerk Kathleen Lok contributed to this advisory.

Sign up to be the first to access our leading legal insights.

The link you have selected will redirect you to a third-party website located on another server. We are offering the link for your convenience. Varnum has no responsibility for any external websites and makes no express or implied warranties about any external websites.

Please be aware that contacting us via e-mail does not create an attorney-client relationship between you and the firm. Do not send confidential information to the firm until you have spoken with one of our attorneys and receive authorization to send such materials.