In a March 21, 2022 statement, President Joe Biden cautioned businesses in the private sector to harden their cyber defenses, reiterating earlier warnings related to potential cyberattacks against U.S. organizations by Russia.
While there is no evidence of an imminent attack tied to the Russia-Ukraine crisis, Biden’s top cybersecurity officer, Anne Neuberger, noted the everyday cyber risks businesses face and the potential for Russian-led cyberattacks call for urgency.
WORLD Observation –While only tangential to employer plans, as we have noted previously, employers should note it as it provides a reminder about possible employer plan issues.
ERISA FIDUCIARY RESPONSIBILITY
Employers often forget that they are fiduciaries concerning their employee groups’ medical and other welfare benefit plans. Fiduciary responsibility has traditionally been an issue for retirement plans, particularly 401(k) plans, as they contain employee funds. Therefore, safeguarding those funds would easily be seen as a fiduciary obligation of the employers who sponsor those plans.
Welfare benefit plans, particularly insured medical plans that most employers sponsor, do not seem to raise the same concerns. While it may have been true in the past, with the advent of several recent legislative and regulatory changes, that is less true today.
The Transparency requirements, the No Surprises Act requirements, and Mental Health Parity obligations are all the explicit responsibility of the employer, even though typically, the insurance carriers, TPAs, and other vendors perform the functions associated with those obligations. With some exceptions for fully insured medical plans, the employer will be responsible for the violations. Even more directly, the employer is charged with assessing that the fees or other compensation earned by brokers or consultants are reasonable under ERISA, per the compensation disclosure rules.
Similarly, these new warnings about potential cyberattacks from the Biden administration should serve as a reminder for employers to consider cyber protections as part of their plans. Further, the HIPAA rules for plans, specifically those covered by the Health Information Technology for Economic Clinical Health Act (“HITECH”), require sponsors to evaluate their plans technical safeguards. (Fully insured plans generally can rely on the carriers for compliance with HIPAA privacy and the HITECH rules).
Administration suggestions on the next steps
The Biden Administration issued a fact sheet with specific guidance on protective measures.
- Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get into your system
- Deploy modern security tools on your computers and devices to continuously look for and mitigate threats
- Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities
- Change passwords across your networks, so that previously stolen credentials are useless
- Back up your data and ensure you have offline backups beyond the reach of malicious actors
- Run exercises and drill your emergency plans, so that you can respond quickly to minimize the impact of any attack
- Encrypt your data, so it cannot be used if stolen
- Educate your employees about common tactics that attackers will use over email or through websites and encourage them to report if their computers or phones have shown unusual behavior
- Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents and encourage your IT and Security leadership to visit the FBI and CISA websites for technical information and other valuable resources
These precautions are not new concepts to most employers. Nonetheless, we often lose sight of the requirements, becoming less vigilant when we do not see the threat as imminent. This serves as an excellent reminder to take the time to protect your company’s digital assets, review the potential threats to your employer plans and make sure you have the appropriate defenses in place.