Business owners with employee benefit plans should be aware of the Department of Labor’s cybersecurity guidance to safeguard plan assets and fulfill their fiduciary obligations. The DOL has expanded this guidance, originally issued in 2021, to explicitly include health and welfare plans along with retirement plans. This comprehensive framework addresses cybersecurity responsibilities for plan sponsors, fiduciaries, recordkeepers, and participants.
The guidance includes three key components:
- Service Provider Selection Guidelines: Outlines criteria for evaluating and monitoring service providers’ cybersecurity practices, in accordance with ERISA fiduciary responsibilities.
- Cybersecurity Best Practices: Provides detailed recommendations for establishing robust cybersecurity programs, including risk assessment procedures, access controls, encryption standards, and incident response protocols.
- Participant Security Measures: Offers practical security tips for participants accessing their benefits online to protect against unauthorized access and fraud.
The updated guidance is included in Compliance Assistance Release 2024-01, or you can visit the DOL’s direct links to the information below:
- Tips for Hiring a Service Provider with Strong Cybersecurity Practices
- Cybersecurity Program Best Practices
- Online Security Tips
Matthew Marcoullier is a director at ARB. He focuses primarily on financial accounting and consulting services for auto dealerships, commercial businesses, and closely-held businesses. Matt previously served as a Senior Auditor for the State of Maine Department of Audit.