The U.S. Department of Labor (DOL) has issued Compliance Assistance Release No. 2024-01, providing updated cybersecurity guidance for all ERISA-covered plans, including retirement, health, and welfare plans. This release clarifies that the guidance, previously thought by some to apply only to retirement plans, actually extends to all employee benefit plans governed by the Employee Retirement Income Security Act (ERISA).
The updated guidance outlines key best practices for cybersecurity, such as conducting regular risk assessments, implementing strong access control measures, encrypting sensitive data, and ensuring that service providers adhere to robust cybersecurity standards. Plan fiduciaries are encouraged to carefully vet service providers, inquire about past breaches, and require regular audits to ensure compliance with cybersecurity protocols.
Additionally, the guidance includes security tips for plan participants, such as monitoring online accounts and using strong passwords to minimize the risk of fraud and data breaches.