The history of cybercrime provides a stark reminder of how rapidly technology evolves and how vulnerabilities can be exploited by bad actors. Over the decades, cyberattacks have grown in scale and sophistication mirroring the evolution of technology.
From Early Cybercrime to Modern Cybersecurity Obligations
While technology allows users to perform many tasks more efficiently, it has also allowed bad actors to take advantage of vulnerabilities for financial gain. Cybersecurity has transformed into a critical area of focus, with governments and organizations implementing advanced defenses to counter ever-evolving threats. The escalating financial and operational risks associated with cyberattacks, projected to cost the global economy $15.63 trillion annually by 2029, underscore the urgent need for vigilance across all sectors (Statista).
The employee benefits sector, particularly health and retirement plans governed by ERISA, has not been immune to cyber threats. With vast amounts of sensitive participant data at stake, these plans have become attractive targets for cybercriminals. To address these risks, the U.S. Department of Labor (DOL) issued cybersecurity guidance in April 2021. This guidance was recently updated in September 2024 to explicitly include health and welfare plans, clarifying any prior ambiguity about their inclusion in the original guidance.
The increasing digitization of plan administration has amplified the need for robust cybersecurity measures, making the protection of participant data a critical aspect of fiduciary responsibility. The DOL’s position reflects the growing importance of cybersecurity as a fundamental component of plan governance, aligning the protection of participant information with the prudent management of plan assets.
By tracing the evolution of cybercrime to its impact on the employee benefits landscape, we can better understand the necessity of the DOL’s expanded guidance and the critical role plan sponsors must play in mitigating cybersecurity risks.
The Evolution of DOL Cybersecurity Guidance
The DOL’s cybersecurity guidance, offers best practices for plan sponsors, fiduciaries, and service providers. These guidelines included recommendations for selecting and monitoring vendors, contractual protections, and participant education to mitigate cybersecurity risks.
In its updated guidance issued in September 2024, the DOL clarified that these cybersecurity expectations apply to all ERISA-governed plans, including health plans. This clarification highlights the increasing vulnerability of sensitive participant data in health plans and the need for robust cybersecurity measures across all aspects of plan administration.
Key Highlights of the Updated Guidance
- Applicability to Health Plans – the updated guidance explicitly extends cybersecurity obligations to health and welfare plans to address some misconceptions related to applicability for these plans. This recognizes the high value of sensitive health data and its vulnerability to cyberattacks.
- Emphasis on Best Practices – plan sponsors and fiduciaries are reminded of their duty to prudently select and monitor service providers with strong cybersecurity protocols in addition to implementing the guidance themselves. The best practices outlined in 2021, including risk assessments, data encryption, the use of multifactor authentication and incident response plans, remain critical.
- Participant Education – the DOL continues to stress the importance of educating participants on protecting their accounts. This includes guidance on strong passwords, multi-factor authentication, and vigilance against phishing attacks.
Implications for Plan Sponsors and Fiduciaries
Plan sponsors and fiduciaries must take proactive steps to comply with the expanded guidance. Under ERISA, fiduciaries have a duty to act prudently and in the best interest of plan participants. This now explicitly includes ensuring that health plans are safeguarded against cybersecurity risks.
Some Practical Steps for Compliance
- Evaluate Vendor Cybersecurity Practices – plan sponsors must conduct due diligence on service providers, ensuring they have robust cybersecurity programs, third-party audits, and breach response protocols.
- Strengthen Contracts – contracts with service providers should include clear cybersecurity provisions, such as data protection requirements, breach notification timelines, and liability for cybersecurity failures.
- Conduct Independent Annual Cybersecurity Audits – cybersecurity assessments on an annual basis are essential to evaluate the effectiveness of both internal systems and external vendors. These assessments should be performed by an independent third party, not internally or by a managed service provider (MSP) if the plan utilizes one, to ensure impartiality. Promptly address any findings from the assessment to strengthen your plan's cybersecurity posture and maintain ongoing compliance.
- Educate Plan Participants – providing participants with tools and education to protect their accounts is critical. This includes promoting awareness of phishing scams, secure password practices, and regular account monitoring.
- Monitor and Document Oversight Activities – plan sponsors must maintain detailed records of their cybersecurity oversight activities, including vendor evaluations, audits, and training sessions. This documentation is vital for demonstrating compliance with fiduciary responsibilities.
- Implement Required Cybersecurity Controls – ensuring the deployment of essential technical safeguards, including the use of multifactor authentication, data encryption, network segmentation, vulnerability management, and access controls. Refer to the DOL’s guidance for a comprehensive list of required controls to align with best practices and regulatory expectations.
- Conduct Annual Penetration Testing – perform annual penetration tests on your systems to identify and address vulnerabilities before they can be exploited. This proactive approach helps ensure your cybersecurity defenses remain robust and up to date-against emerging threats.
Case Study: Proactive Cybersecurity for Multiemployer Funds
The High Stakes of Cybersecurity in Health Plans
Health plans are uniquely vulnerable to cyberattacks due to the highly sensitive and diverse data they manage, making them a lucrative target for cybercriminals. Eligibility and enrollment records often include personally identifiable information (PII) such as Social Security numbers, addresses, and employment details, which are prime targets for identity theft and fraud. Claims and utilization data contain medical histories, diagnoses, treatments, and other protected health information (PHI), which can be exploited for insurance fraud or blackmail. Provider data, including National Provider Identifiers (NPIs), Tax Identification Numbers (TINs), and contract terms, is also at risk, with potential consequences for both patients and healthcare providers.
Payment and financial data such as bank account information, credit card details, and billing records are highly valuable for financial scams and unauthorized transactions. The growing reliance on telemedicine and medical devices, which generate and transmit health metrics and other sensitive data, has further expanded the attack surface. These interconnected systems, while improving healthcare access and efficiency, introduce new vulnerabilities that can be exploited to compromise entire networks.
The financial impact of cyberattacks is staggering. In the healthcare sector alone, ransomware attacks have increased by 94% in recent years, often resulting in service disruptions and patient care delays (Sophos). But the consequences of such breaches extend beyond financial losses, threatening patient safety, eroding trust, and exposing organizations to regulatory penalties and legal liabilities. Robust cybersecurity measures, proactive threat monitoring, and rigorous compliance with data protection laws are essential to safeguard health plan data and maintain the integrity of these critical systems.
Next Steps for Plan Sponsors
Plan sponsors of ERISA health plans should act now to align their cybersecurity practices with the updated DOL guidance. This includes:
- Engaging cybersecurity experts to evaluate existing practices and identify areas for improvements.
- Developing a monitoring and oversight program to assess and manage vendor cybersecurity risks.
- Implementing robust internal controls to safeguard participant data and comply with fiduciary obligations.
Key Takeaways
The DOL’s cybersecurity guidance to health plans reinforces the critical importance of protecting participant data in an increasingly complex digital landscape. By adopting a proactive approach to cybersecurity, plan sponsors can not only meet their fiduciary obligations but also build trust with participants and ensure the long-term integrity of their plans.
Staying ahead of cybersecurity threats is no longer optional, it is a fiduciary duty.
Contact Us
For more information on this topic, please contact a member of Withum’s Multiemployer Benefit Plans Services Team.
