By: HUB’s EB Compliance Team

Back in April of 2021, the U.S. Department of Labor (“DOL”) issued guidance on cybersecurity best practices. While the guidance at that time was targeted to retirement plans, the “best practices” document referred generally to any ERISA-covered plan. At that time, HUB advised that sponsors of health and welfare plans may also want to take note. The DOL has now updated those best practices (and related documents) to confirm that they also apply to health and welfare plans . Even for plan sponsors not subject to ERISA (like governmental and most church plans), a review of the guidance would be helpful.

Where’s the Data?

The guidance primarily focuses on what service providers to ERISA plans should do. Why focus on the service providers? To borrow a quote (mis)attributed to notorious bank robber Willie Sutton, “that’s where the money is” and that’s where the data is as well. The reality is most employers, while they do have sensitive data on their employees, are unlikely to have direct access to all the same data that service providers have. For example, your insurer or third-party administrator has health insurance claims information and other detailed information that most employers simply do not access on a regular basis in part due to Health Insurance Portability and Accountability Act (“HIPAA”) concerns.

A Sense of Security

The best practices document was reissued with only minor modifications. As in 2021, it goes into some detail about the different features a strong cybersecurity program should have. In broad strokes, it says that plan service providers should:

  1. Have a formal, well documented cybersecurity program. – This will help identify the risks and how to protect against them, as well as how to respond to cybersecurity events.
  2. Conduct prudent annual risk assessments. – This helps keep the program up to date on the latest risks.
  3. Have a reliable annual third-party audit of security controls. – This gives an unbiased view of the strengths and weaknesses of a cybersecurity program.
  4. Clearly define and assign information security roles and responsibilities. – If it’s “everybody’s job” then in reality it’s nobody’s job, so someone needs to be responsible.
  5. Have strong access control procedures. – This ensures that users are who they say they are so that only the right people have access to the data.
  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments. – Ultimately, if the data is being kept somewhere else, that provider’s security also matters.
  7. Conduct periodic cybersecurity awareness training. – Your weakest link is often your employees. The greatest program in the world can be felled by a single employee clicking on a phishing link. Training employees to spot fakes helps prevent that. To potentially bolster this training point, the DOL included an Online Security Tips document directed toward participants and beneficiaries.
  8. Implement and manage a secure system development life cycle (SDLC) program. – If applications are being developed internally, it’s important to make sure that the process of development is secure as well.
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response. – What does the service provider do when things go wrong?
  10. Encrypt sensitive data, stored and in transit. – This speaks for itself.
  11. Implement strong technical controls in accordance with best security practices. – Having good technical defenses helps. If a system is difficult to crack, the bad guys may move on to an easier target.
  12. Appropriately respond to past cybersecurity incidents. – This includes a thorough investigation, notifying cyber insurers, and notifying law enforcement, if appropriate. Of course, it also includes identifying and resolving cybersecurity issues to prevent this from happening again.

Practices (and Process), not Perfection

For health and welfare plan sponsors, the good news is that that in many cases, these practices are already a focus of their vendors, especially given legislation from 2021 designed to encourage HIPAA covered entities to adopt some security practices.

Still, the guidance provides a good roadmap for all sponsors of plans (including those not covered by ERISA) to consider when evaluating their service providers as part of their fiduciary due diligence. The guidance package helpfully includes Tips for Hiring a Service Provider with Strong Cybersecurity Practices. While many service providers will already be focusing on this, in part due to HIPAA, these best practices are in some ways more specific than what HIPAA generally requires. 

Additionally, to the extent plan sponsors do maintain sensitive data related to their plans, they should also consider evaluating their own cybersecurity practices in light of this guidance. Under ERISA, fiduciary prudence is a process, so asking the right questions, getting and evaluating satisfactory answers, and making (and documenting) a reasoned decision, is how to maximize fiduciary protection.

Finally, regardless of whether it’s service providers or plan sponsors, it is worth noting that these are best practices. Therefore, not every service provider will have to adopt every recommendation in this document. However, employers should evaluate each service provider’s practices in the context of the data that they retain.

If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.

NOTICE OF DISCLAIMER

Neither Hub International Limited nor any of its affiliated companies is a law or accounting firm, and therefore they cannot provide legal or tax advice. The information herein is provided for general information only, and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on Hub International's understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect and Hub International does not have an obligation to update this information. You should consult an attorney, accountant, or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.