October 24, 2024 - As October arrives, bringing with it the vibrant colors of fall, it also signals a critical time of year for employers. The month of October has been deemed Cybersecurity Awareness Month and October 15th is the deadline for employers to file Form 5500 for employee benefit plans with a calendar year ending on December 31st. Although these two topics may seem unrelated, there has been increased focus on cybersecurity for employee benefit plans.

With over four million employee benefit plans, holding $14 trillion in assets and covering 153 million participants, it is no surprise that there have been several cybersecurity breaches where participant Social Security numbers and other personal identifying information has been compromised. As an increasing number of employee benefit plans continue to transition to paperless transactions, it is crucial for there to be a collective effort amongst plan sponsors, plan fiduciaries, recordkeepers, and plan participants to implement appropriate best practices to help protect against cybercrime.

Cybersecurity guidance for employee benefit plans

The Employee Benefits Security Administration (EBSA), a branch of the Department of Labor (DOL), originally issued cybersecurity guidance in 2021 to assist plan sponsors, fiduciaries, and participants in safeguarding personal information and plan assets. The guidance, which included best practices for managing cybersecurity risks and hiring service providers with strong data protection protocols, was largely interpreted as applicable only to retirement plans. However, confusion arose in the years following the release as many health and welfare plan service providers and fiduciaries believed that the guidance did not apply to their plans. The ERISA Advisory Council, in a 2022 recommendation, urged the DOL to clarify the applicability of this cybersecurity guidance to health benefit plans, prompting a recent update.

In September 2024, the DOL issued Compliance Assistance Release No. 2024-01, confirming that its 2021 cybersecurity guidance applies to all ERISA (Employee Retirement Income Security Act) plans, including health and welfare plans and not just retirement plans. The DOL's update aims to help fiduciaries protect sensitive data and plan assets, marking a significant step toward stronger cybersecurity practices across all employee benefit plans, ultimately fostering a more secure digital environment for plan administrators, participants, and beneficiaries.

The updated guidance reiterates the need for a comprehensive approach to cybersecurity across all ERISA plans and includes the following key elements:

1. Tips for hiring a service provider: This section helps plan sponsors and fiduciaries select service providers with strong cybersecurity practices and outlines how to prudently monitor their activities as required by ERISA.
2. Cybersecurity program best practices: This guidance supports fiduciaries and record-keepers in managing cybersecurity risks, ensuring that sensitive plan data and assets are properly protected from cyber threats.
3. Online security tips: For participants and beneficiaries who access their retirement or employee benefit plan information online, this section offers basic tips to reduce the risk of fraud, identity theft, and financial loss. For more detailed information, you can refer to the full Compliance Assistance Release No. 2024-01.

Protect your employee benefit plan with cyber insurance

Another step towards safeguarding an employee benefit plan is to ensure that it is covered by your organization’s cyber-insurance policy. Review the details of the policy to understand what events are covered and if there are any restrictions or conditions. Our Cybersecurity Practice estimates that it is 14 times more costly to recover from a cyberattack than it is to prevent one, and that cost does not factor in unwanted press and reputational damage.

As the DOL has expressed its intention to focus on cybersecurity issues in its ERISA investigations, it is important for plan sponsors to document the steps taken to comply with these tips and best practices as part of its fiduciary responsibilities.

Plan fiduciaries are encouraged to take immediate action to assess their current cybersecurity measures, ensuring they meet the updated standards set forth by the DOL to protect participants' personal data and plan assets effectively. With cyberattacks becoming more frequent and sophisticated, the expansion of cybersecurity guidance is timely, as employee benefit plans, including health and welfare plans, often handle sensitive personal data, making them prime targets for cybercriminals.

How Citrin Cooperman can help

Citrin Cooperman has a long-standing, dedicated Employee Benefit Plan Practice focused on providing specialized professional services and industry-specific thought leadership related to various types of employee benefit plans, including 401(k) plans, 403(b) plans, defined benefit plans, employee stock ownership plans, and health and welfare plans. Our team can efficiently and effectively help you achieve your security goals and meet your fiduciary responsibility.

If you have questions on how your organization can remain compliant with these upcoming regulations or if you are in need of cyber resources to help protect your organization, please contact Kevin Ricci at kricci@citrincooperman.com or Lauren Florio at lflorio@citrincooperman.com.