Cybersecurity and related risks are here to stay. Employee benefit plans face significant cybersecurity threats, and the consequences of a single attack can be devastating. Employee benefit plans, including but not limited to retirement plans, 401(k) plans, 403(b) plans, defined benefit plans, and health and welfare plans, are typically administered by many third parties (service organizations). In addition, participants can access the benefit portal from home computers, personal phones, and work computers. This introduces several potential entryways for cybercriminals. As a result, plan fiduciaries should be doing what they can to prevent any cyber breaches.
The Employee Benefits Security Administration (EBSA) issued cybersecurity guidance in April 2021 with the intent to help plan sponsors, fiduciaries, service providers, and participants in employee benefit plans safeguard plan data, personal information, and plan assets. In Compliance Assistance Release No. 2024-01, updated in 2024, the EBSA clarified that this guidance from April 2021 applies to all health benefit plans.
In 2024, the EBSA issued some additional guidance. The first was Tips for Hiring a Service Provider with Strong Cybersecurity Practices. Employers and other sponsors of employee benefit plans often outsource most of the administration of the benefit plan. As a result, they are often relying on service providers to maintain plan records and keep participant data confidential and plan accounts security. As a result, Plan sponsors should use service providers that follow strong cybersecurity practices. This guidance includes six tips to help the plan fiduciaries meet their responsibilities to select and monitor such service providers.
The next guidance that was issued, also in 2024, was Cybersecurity Program Best Practices. Employee benefit plans often hold millions of dollars in assets, in addition to storing participant personally identifiable data. This makes them a tempting target for cyber criminals. This guidance provides 12 best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data. Plan fiduciaries should consider discussing these best practices with their service providers to ensure they are following these practices.
The last guidance issued in 2024, was Online Security Tips. This includes basic rules to help participants of benefit plans reduce risks of fraud or loss of personal data.
As a benefit plan administrator, one of your many responsibilities is to keep your plan safeguarded. Knowing and understanding the various guidance provided by the ESBA can help you fulfill this responsibility to your sponsor and your participants.
Contact Us
If you are a benefit plan administrator and have questions about your cybersecurity practices, we can connect you with relevant technology partners to help to safeguard your plan data. Please contact us at 630.954.1400 or click here.
