Updated Cybersecurity Guidance for Employee Benefit Plans

1 minute read

In Compliance Assistance Release No. 2024-01, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) has reaffirmed that their April 2021 cybersecurity guidelines are applicable to all employee benefit plans, encompassing both health and welfare plans.

Background

In 2021, EBSA issued cybersecurity guidance to protect plan data, personal information, and plan assets. Service providers believed it only applied to retirement plans. It was recommended that EBSA clarify that the guidance also applies to health benefit plans in 2022.

Updated Guidance

The Compliance Release clarifies that the cybersecurity guidance applies to all ERISA-covered plans, including health, welfare, and pension plans. EBSA is providing the following updated guidance:

1. Tips for Hiring a Service Provider – How to select a provider with strong cybersecurity practices
2. Cybersecurity Program Best Practices – How to manage cybersecurity risks
3. Online Security Tips – How to reduce the risk of fraud and loss

Additional Resources

The U.S. Department of Health and Human Services offers publications to help health plans and their providers maintain good cybersecurity practices.

• Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
• Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations
• Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations

Download the bulletin for more details.