The Fiduciary Wake-Up Call: Cybersecurity and Your Vendors

As a sponsor of an employer health and welfare plan, you have a fiduciary responsibility to manage the risks posed by third-party service providers (TPSPs). Perhaps the most significant risk is related to cybersecurity. If one of those TPSPs experiences a major security breach or is poorly vetted, as the plan sponsor and the fiduciary, you may be held liable for the losses.

Recent guidance from both the Department of Labor (DOL) and the New York State Department of Financial Services (DFS) underscores the importance of due diligence and ongoing oversight of TPSPs such as third-party administrators (TPAs), carriers, and technology platforms to administer your benefit plan. The risk is real. Without proper documentation of vendor vetting and oversight, plan sponsors may be exposed to claims that they have failed to fulfill their fiduciary obligations under the Employee Retirement Income Security Act (ERISA), which could result in personal financial liability for fiduciaries and other decision-makers.

Outsourcing the administration does not absolve you of your fiduciary duty.

What the New York DFS Guidance Says

The DFS recently released guidance for covered entities to manage risks related to cybersecurity of TPSPs and has identified multiple areas in which covered entities should strengthen their cybersecurity programs, such as the need for more robust due diligence, contractual provisions, monitoring and oversight, and TPSP risk management policies and procedures.

DFS guidance primarily applies to entities regulated under New York’s Banking, Insurance, and Financial Services law. However, this guidance offers expectations and best practices relevant to other entities, such as self-funded employer-sponsored plans. However, it is also important to note that New York State regulators often set the stage for other jurisdictions, so we can expect other states to follow their lead in the future.

Key takeaways from the DFS guidance:

• Performing due diligence on TPSPs that includes a detailed assessment of items such as access to information systems, handling and storage of data and cybersecurity practices and controls
• Assessing the cybersecurity risks the TPSP poses to the covered entity’s information systems
• Developing a plan to mitigate risks posed by each TPSP
• Implementing written policies and procedures that address due diligence and services provided
• Auditing and assessing TPSPs to determine the adequacy of their cybersecurity practices

What the DOL Expects of Plan Sponsors

In September 2024, the DOL’s Employee Benefits Security Administration (EBSA) released Compliance Assistance Bulletin 2024-01, confirming that its cybersecurity guidance applies to health and welfare plans governed by ERISA. Cybersecurity due diligence is no longer optional. It is an expected “best practice.”

Plan sponsors should:

• Evaluate vendors before hiring: Assess how they handle sensitive data, their cybersecurity controls, and where they operate.
• Monitor vendors regularly: Review incident response plans, audit results, and downstream provider practices.
• Document everything: Maintain a clear record of your oversight activities.

Here’s a checklist to guide your due diligence related to cybersecurity:

The above are tips, and more detailed information can be found in this section of the EBSA Compliance Bulletin.

For more information about the 2024 guidance, access our Compliance Matters Alert from October 2024.

How EPIC Helps You Manage This Risk

As your employee benefits partner, we take a proactive approach to help you strengthen compliance with your fiduciary obligations and reduce exposure to risk.

EPIC offers tools and support to help you meet your fiduciary obligations:

1. Fiduciary Assessment Tool
   EPIC offers a Fiduciary Assessment Tool designed specifically to help plan sponsors meet documentation requirements under ERISA. This process helps you create a Fiduciary File – a consolidated record that documents the steps you have taken to fulfill your fiduciary obligations, including vendor oversight. This file is part of your proof of fiduciary due diligence.
2. Proactive Vendor Vetting
   We help by asking the right questions and assisting our clients in evaluating service providers’ cybersecurity practices before they are hired, aligning your selection process with the heightened standards set by regulators.
3. Cyber Insurance Review
   EPIC recommends reviewing your corporate cyber liability insurance policy to ensure adequate coverage against third-party risk is in place. For more information, access our Risk Management Insights AWS Disruption Spurs Regulatory Focus on Third-Party Risk Management from October 2025.

Take Action Today

Don’t wait for a DOL audit or a data breach to find out your organization is exposed. Fiduciary liability is a manageable risk, but only if you take proactive steps.

Ready to start your Fiduciary Assessment and build your fiduciary file?

Reach out to your EPIC Account Representative today.

Disclaimer: EPIC does not provide legal advice. Plan sponsors should seek guidance from their legal counsel to determine whether they are operating according to their fiduciary responsibilities.

EPIC Employee Benefits Compliance Services

For further information on this or any other topics, please contact your EPIC consulting team.

Learn About Our Employee Benefits Compliance Services

EPIC offers this material for general information only. EPIC does not intend this material to be, nor may any person receiving this information construe or rely on this material as, tax or legal advice. The matters addressed in this document and any related discussions or correspondence should be reviewed and discussed with legal counsel prior to acting or relying on these materials.