Seyfath Shaw – The U.S. Department of Labor (DOL) released updated cybersecurity guidance on September 6, 2024, clarifying that its cybersecurity standards apply to all ERISA-covered plans, including health and welfare plans, not just retirement plans. The guidance advises plan sponsors, fiduciaries, and participants to implement robust cybersecurity practices to protect sensitive participant data, including:
- Verify a prospective provider’s insurance covers losses due to cybersecurity incidents (e.g., ransomware attacks)
- Encourage participants to encrypt data when moving it outside of a system and use MFA (multi-factor authentication) when possible
- Conduct regular cybersecurity risk assessments of data and controls in the administration of ERISA-covered plans
