March 13, 2023

2022 ERISA Enforcement and Cybersecurity Updates

Employer-sponsored retirement plans are an essential benefit offering and tool for employees to fund retirement savings. The savings crisis has been in full focus over the last few months due to the SECURE Act 2.0. This legislation calls for several changes impacting plan administration, participant benefits, and even tax incentives for new plans. The gradual phase-in of required changes and updates has naturally been top of mind for many. This is especially true because of the time needed to update plan processes and procedures. However, a recently issued report on DOL enforcement actions initiated by the Employee Benefits Security Administration (EBSA) provides important information on where plans should focus compliance attention. Concurrently, news that the DOL is receiving recommendations for updating cybersecurity guidance, means plan sponsors may have a busy 2023. To help clients, prospects, and others, Wilson Lewis has provided a summary of the key details below.

2022 Enforcement Actions

Through the EBSA, the Department of Labor (DOL), enforces various sections of the Employee Retirement Income Security Act (ERISA) of 1974. The agency acts to ensure retirement and other benefit plans comply with relevant regulations and provisions. Recently, the agency published a summary of 2022 enforcement actions, including:

• Recovered Assets from investigations – Last year the agency closed 907 civil investigations with 66% resulting in monetary compensation or other corrective actions. The most affected group were terminated vested participants as $542M in outstanding benefits were recovered. Given the large amount, it is important for plans to ensure compliance with relevant regulations. Employers should be mindful that an investigation into missing or terminated benefit plan participants could be coming.
• Non-Monetary Collections – Concurrently, efforts were also directed to obtaining non-monetary corrections as well. Last year alone, 29 fiduciaries were removed, 35 individuals were barred from taking the role, and an improvement of plan procedures for over 50 plans.
• Abandoned Plan Program – The program facilitates the termination and distribution of benefits from plans abandoned by employers. Last year, the agency received 1,433 termination applications resulting in the distribution of $83.9M to impacted participants. Proper plan termination is essential to deflect DOL scrutiny and ensure earned benefits are properly distributed.
• Compliance Assistance Programs – There are several programs such as the Voluntary Fiduciary Correction Program (VFCP) that encourage plans to correct ERISA violations. These programs are structured to provide incentives for proactively identifying and correcting plan issues. Based on the 2022 numbers, it appears that plan sponsors are taking full advantage of self-correction opportunities. It was reported that the EBSA received 1,374 applications through the VFCP and more than 22,000 applications in other areas. Finally, the EFAST2 Help Desk handled over 21,000 inquiries to help filers meet reporting obligations. Employers should certainly take advantage of self-correction opportunities when available.

DOL Revised Cybersecurity Guidance

In response to health plans and insurers being major targets for cybersecurity attacks, the EBSA is considering changing published cybersecurity guidance to include updated information for health and welfare plans. A recently published report, Cybersecurity Issues Affecting Health Benefit Plans, includes suggestions from several experts on important changes to consider.

The new recommendations offer a reminder of previous documented guidance created by the DOL – Cybersecurity Program Best Practices, Tips for Hiring a Service Provider With Strong Cybersecurity Practices, and Online Security Tips. The document also reiterates the importance of HIPAA and HITECH, Cyber Incident Reporting Under the Critical Infrastructure Act of 2022 (CIRCIA), and state laws that may apply to health and welfare plans and need to be considered alongside these tips and resources. Other important changes under consideration include:

• Best Practice Guidance – It has been suggested that although the 2021 guidance applies to health and welfare plans there still appears to be confusion at the plan sponsor level. It was suggested that additional guidance, perhaps in the form of FAQs, clearly convey the responsibility to comply with cybersecurity regulations, in addition, to those required under HIPAA.
• Cybersecurity Disclosures – It was also suggested that to improve provider security practices that fiduciaries be required to obtain cybersecurity disclosures from existing, or new, service providers. Ideally, plans would be required to obtain these disclosures prior to entering into a service agreement.
• Examination & Investigation Standards – The EBSA should also create minimum compliance standards that serve as the primary area of focus during audits and investigations. It was also suggested that any penalties assessed should be mindful of the size of plan sponsors and efforts made to provide necessary participant protections.
• Sample Contract Language – The IRS often provides sample contract language to help ensure plan sponsors are satisfying relevant legal requirements. It was suggested the same should be done to help small-to-medium plan sponsors with cybersecurity-related contract provisions.

While there were several recommendations made, it is clear there are issues with how plans address cybersecurity concerns with third-party providers, and a lack of clarity in DOL guidance about how cybersecurity responsibilities apply to health plans, cybersecurity risks are quickly changing so guidance should follow, and the need to comply with both ERISA and HIPAA cybersecurity regulations. The next step is for the DOL to review these recommendations and update current guidance.

Contact Us

The enforcement action update from the EBSA provides important insights into where plan sponsors should focus to ensure compliance and other failures are not present. Concurrently, the potential changes to cybersecurity guidance mean plan sponsors will have a lot to cover in the coming months. If you have questions about the information outlined above or need assistance with plan audit issues, Wilson Lewis can help. For additional information call 770-476-1004 or click here to contact us. We look forward to speaking with you soon.