DOL Issues Cybersecurity Guidance Update

The U.S. Department of Labor (DOL) issued Compliance Assistance Release No. 2024-01. This guidance clarified that DOL cybersecurity guidance issued in April 2021 applies to all ERISA-covered plans – including health and welfare plans.  Although Texas injury benefit plans are not considered “group health plans” in most cases for ERISA purposes, these plans are still considered “welfare plans.” For that reason, Texas injury benefit plans must comply with ERISA requirements that are applicable generally to welfare plans – including this new guidance.

The updated guidance provides three key parts:

  • Tips for Hiring a Service Provider - plan fiduciaries should thoroughly vet potential plan service providers (third party administrators, medical management, etc.) by:
    • Asking specific, detailed questions, and reviewing the providers security history and validation process; and
    • Verifying that prospective service providers have insurance that includes coverage for cybersecurity breaches.
  • Cybersecurity Program Best Practices – plan fiduciaries should provide account security training and resources, such as password management, cyberthreat awareness (for example, phishing) and multi-factor authentication (MFA).
  • Online Security Tips – plan fiduciaries should conduct regular cybersecurity risk assessments, use data encryption and MFA, and establish reasonable procedures within their IT departments for protecting against cybersecurity threats.


Texas Option employers can consider several steps for complying with this new guidance, such as:

  • Include clear cybersecurity terms in service provider contracts, obtain information regarding service provider internal cybersecurity policies, audits and any history of breaches, and ensure that service providers have appropriate insurance coverage.
  • Ensure your internal cybersecurity policies include regular risk assessments, strong encryption practices, incident response planning, and annual self-audits.
  • Provide ongoing resources to educate plan participants (Texas employees) and plan representatives with respect to online security, including using strong passwords, MFA and phishing awareness.