When planning for cybersecurity, include your benefit plans
Strong passwords. Two-factor authentication. Mandatory password changes. Most of us have seen these and other cybersecurity requirements expand in both scope and complexity in recent years. Many changes have been required by law as we have seen data privacy regulation at local, state, and national levels. Until recently, cybersecurity requirements didn’t exist in the area of employee benefit plans. That’s no longer the case.
DOL issues guidance
The document issued by the U.S. Department of Labor (DOL) and titled “Tips for Hiring a Service Provider with Strong Cybersecurity Practices” is particularly useful if you sponsor an Employee Retirement Income Security Act (ERISA) plan that uses a third party to hold participant data and/or assets (e.g., a self-insured group health plan or a qualified retirement plan of any type). Other documents also may be useful to you:
- “Cybersecurity Program Best Practices” is geared toward recordkeepers and other service providers who are responsible for ERISA plan data and IT systems; and
- “Online Security Tips” may have been written with plan participants and beneficiaries in mind.
While the intended audience may vary, all three articles provide important insights into what the DOL may regard as prudent and/or appropriate standards and practices for ERISA plans.
Guidance isn’t fluff