Updated Cybersecurity Guidelines for All Employee Benefit Plans by the U.S. Department of Labor
The cybersecurity guidelines released by the Employee Benefits Security Administration (EBSA) in April 2021 are being confirmed by the EBSA to be applicable to all employee benefit programs, including group health plans.
To assist plan sponsors, fiduciaries, service providers, and participants in employee benefit plans in protecting plan data, private information, and plan assets, EBSA released cybersecurity guidelines in 2021. However, in the intervening years, service providers for group health plans have informed fiduciaries and EBSA inspectors that this guideline is limited to retirement plans. In 2022, the ERISA Advisory Council of the Department of Labor suggested that EBSA make it clear that health benefit plans are covered by the guidelines.
The cybersecurity advice is applicable to all ERISA plans, including group health plans.

Best Practices for Hiring Cybersecurity Service Providers
Ask about the service provider’s information security standards.
Cybersecurity Program Best Practices Include
- Having a formal, well-documented cybersecurity program.
- Conducting prudent annual risk assessments.
- Having a reliable annual third-party audit of security controls.
- Clearly defining and assigning information security roles and responsibilities.
- Having strong access control procedures.
- Ensuring that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
- Conducting periodic cybersecurity awareness training.
- Implementing and managing a secure system development life cycle (SDLC) program.
- Having an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypting sensitive data, stored and in transit.
- Implementing strong technical controls in accordance with best security practices.
- Appropriately responding to any past cybersecurity incidents.
Resources
The new Compliance Assistance Release issued by the department’s Employee Benefits Security Administration provides best practices in cybersecurity for plan sponsors, plan fiduciaries, recordkeepers and plan participants.
- Tips for Hiring a Service Provider - Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
- Cybersecurity Program Best Practices - Assists plan fiduciaries and recordkeepers in mitigating risks.
- Online Security Tips - Offers plan participants who check their online retirement accounts with rules for reducing the risk of fraud and loss.