Article
Since releasing cybersecurity recommendations in April 2021, officials from the U.S. Department of Labor (“DOL”) have made it known that they intend to concentrate their ERISA investigations on cybersecurity vulnerabilities. The DOL’s examinations of qualified retirement plans is well underway.
The DOL’s position may make H&W plans particularly susceptible to a cybersecurity investigation, especially those impacted by data breach incidents among their providers.
H&W Cybersecurity Audits have Started
The DOL has integrated cybersecurity queries and questions into health and welfare plan examinations. This is an essential step because there was some doubt regarding whether the DOL’s cybersecurity guidance applied to health and welfare (“H&W”) plans when it was first released. This change suggests the DOL does believe the advice applies to all benefit plans qualified under the Employee Retirement Income Security Act (“ERISA”).
The DOL’s position may make H&W plans particularly susceptible to a cybersecurity investigation, especially those impacted by data breach incidents among their providers. H&W plan sponsors should remember that following the DOL’s cybersecurity recommendations and adhering to the Health Insurance Portability and Accountability Act (“HIPAA”) is prudent.
The DOL has shown interest in a range of documents linked to cybersecurity procedures as part of investigations of H&W plans, including:
- documents governing the IT systems, a breach response plan, a disaster recovery plan, and copies of system development lifecycle controls (“SDLC”), if applicable;
- schedules of systems crucial to the upkeep and protection of participant data and assets (including details on data used by the plan, where data resides, and systems outsourced to service providers, as well as file sharing systems);
- reports from internal and external cybersecurity audits, including IT system audits (SOC 1 or SOC 2), as well as internal and external (with auditors) communications;
- proof of cybersecurity insurance coverage;
- documents that mention or discuss cybersecurity, such as emails and minutes from meetings of the plan committee or the board of trustees or directors where the readiness of the plan for cybersecurity was discussed; and
- documents that discuss cybersecurity-related events, such as unauthorized access or suspicious activity.
Our cybersecurity risk assessments are relevant for all
employee benefit plans.
There’s More
While the above list of documents is lengthy, it is not exhaustive, and fiduciaries of healthcare and welfare plans should assess compliance with the DOL cybersecurity guidance as well as make sure that their HIPAA compliance protocol, including their HIPAA privacy and security policies and procedures, are up to date, especially for those affected by data breach events.
