DOL Clarifies Application of 2021 Cybersecurity Guidance

On September 6, 2024, the DOL issued the EBSA’s Compliance Assistance Release No. 2024-01, clarifying that the cybersecurity guidance it issued in April, 2021, applies to all employee benefit plans subject to the Employee Retirement Income Security Act of 1974 (ERISA), including both employee pension benefit plans, (e.g., tax-qualified defined contribution and defined benefit retirement plans), and health and welfare plans. Consequently, employers, plan sponsors, fiduciaries and plan participants of employee pension benefit plans and health and welfare plans should follow the guidance and maintain strong cybersecurity practices.

In addition, the 2024 guidance references the following U.S. Department of Health and Human Services publications which are targeted to help health plans, and their service providers maintain good cybersecurity practices:

• Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients

• Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations

• Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations

Plan sponsors may also want to consider adding cybersecurity matters as a regular item to their plan committee meeting agendas moving forward, analogous to processes in place with respect to adopting, following, and monitoring the terms of investment policy statements and the like. Further vendor selection processes may also need to be adapted accordingly.

Sources

Healthcare & Public Health Sector Coordinating Council (2025, January 26). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. HICP. https://405d.hhs.gov/Documents/HICP-Main-508.pdf

Healthcare & Public Health Sector Coordinating Council (2025, January 26). Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations. HICP. https://405d.hhs.gov/Documents/tech-vol1-508.pdf

Healthcare & Public Health Sector Coordinating Council (2025, January 26). Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations. HICP. https://405d.hhs.gov/Documents/tech-vol2-508.pdf