Cybersecurity threats pose significant challenges to fiduciaries managing Taft-Hartley benefit plans. The number of digital access points to individual accounts and banks have expanded opportunities for fraud and theft to criminals worldwide.

The Employee Retirement Income Security Act of 1974 (ERISA) imposes fiduciary responsibility on plan fiduciaries to act with care, skill, prudence and diligence on all matters, including cybersecurity. Further, courts are upholding the Department of Labor’s (DOL) ability to enforce cybersecurity standards related to employee benefit plans. In Walsh v. Alight Solutions, LLC the U.S. 7th Circuit Court of Appeals upheld the DOL’s authority to document practices of a plan vendor who was not a fiduciary.

This article reviews relevant DOL guidance and highlights solutions for Taft-Hartley plan fiduciaries to safeguard plan assets.

DOL Cybersecurity Guidance

In 2021, the DOL’s Employee Benefits Security Administration (EBSA) issued cybersecurity and service provider selection guidance for retirement plans. In September of 2024, the guidance was extended to include all employee benefit plans, including health and welfare plans. The Employee Retirement Income Security Act (ERISA) includes any plan or program established to maintain an “apprenticeship or other training programs” in its definition of “employee welfare benefit plan,” meaning all retirement, health and welfare, and apprenticeship plans are subject to the EBSA’s guidance. 

Specifically, the EBSA issued three pieces of guidance; one of which provided six tips for hiring a service provider. The six tips detailed various record requests and verifications that plan fiduciaries must inquire about prior to hiring services providers, including the service provider’s cybersecurity practices, cybersecurity plan audits, internal controls, track record regarding past security breaches and applicable reporting practices. The EBSA specifically states to “beware” of contract provisions that limit the service provider’s responsibility for IT security breaches, which refers to provisions capping the dollar amount of damages related to cybersecurity incidents and breaches. 

The Cybersecurity Program Best Practices outlines 12 strategies for “responsible” service providers and for plan fiduciaries, including:

• Maintain a well-documented cybersecurity program
• Conduct risk assessments
• Implement controls and procedures
• Conduct periodic 
• Cybersecurity training
• Encrypt sensitive data
• Develop a cybersecurity
• Incident response plan

Since most apprenticeship plans are self-administered and house most of their own data (and because many have relatively low resources when compared to other fringe benefit funds), implementing all best practices could be costly and burdensome. Therefore, apprenticeship plans should follow the best practices to the best of their abilities given their resources.

Finally, Online Security Tips is a fairly standard compilation of best practices for reducing risk of fraud. The tips include monitoring online accounts, using strong and unique passwords, implementing multi-factor authentication, deleting any unused accounts or access, being wary of free Wi-Fi and being aware and vigilant regarding detecting phishing attacks. 

Banking Protections

Cyber criminals often attempt to access bank accounts of employee benefit funds or participant data. Many banks now offer various safeguards for their accounts, particularly ACH Fraud Filter and Positive Pay, to help mitigate these threats. ACH fraud filters help prevent unauthorized Automated Clearing House (ACH) transactions by screening payments against predetermined criteria, flagging suspicious activity and allowing funds to control which transactions are actually posted to bank accounts. Positive Pay is an automated cash management service designed to prevent check fraud by matching checks issued against those presented for payment.

Cyber Liability Insurance

Cyber liability insurance is a crucial protection step that has become the industry standard for Taft-Hartley employee benefit plans. Coverages for business interruption and various other losses should be demanded by plan fiduciaries to safeguard plan assets from the following cyberattacks:

Spoofing: Deceptive communication from an unknown source pretending to be a trusted source.

Phishing: Attackers pretending to be trusted entities to gather confidential information using deceptive emails and websites.

Social Engineering Fraud/Cyberdeception: Misleading employees into sending money or diverting payment based on fraudulent information.

Ransomware: Malicious software that encrypts a victim’s files until a ransom is paid. Funds Transfer Fraud: Diverting money from a benefit plan to some other account.

Conclusion

The legal landscape of cybersecurity for employee benefit plans is evolving quickly. To best protect assets, fiduciaries should:

• Assemble an experienced team, including legal counsel, a cybersecurity vendor familiar with benefit plans, a banker/bank that offer appropriate fraud protection options, and an insurance broker that understands benefit plans.
• Review all service providers’ IT and cybersecurity practices periodically in accordance with DOL policies.
• Implement best practices presented by the DOL (or even go beyond!) to ensure plan assets are protected.
• Avoid signing contracts that limit service provider responsibility for security breaches.