And The Hits Just Keep on Coming: New DOL Guidance on Cybersecurity

Today, the DOL announced new guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity, including tips on how to protect retirement benefits.  This is the first time the department’s Employee Benefits Security Administration (EBSA) has issued cybersecurity guidance.

Below is what they released today with web links – and some quick-read bullet points for you below:

  1. Tips for Hiring a Service Provider with Strong Cybersecurity Practices
    • Plan sponsors should use service providers that follow strong cybersecurity practices.
    • Look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate cybersecurity.
    • Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
    • Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account).
    • When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware of contract provisions that limit the service provider’s responsibility for IT security breaches.  You should check to make sure you know what requirements your recordkeeper puts on plan participants in order for the participant’s account to be made whole by the recordkeeper if there is a theft (e.g., do they require two-factor authentication in order for the recordkeeper’s “guarantee” to apply?).
    • They identified a list of contractual provisions that your contract with service providers should contain.
    • I would go over this at your next plan committee meeting with your recordkeeper and any other service providers – and document the review in your minutes.
  2. Cybersecurity Program Best Practices
    • ERISA-covered plans often hold millions of dollars or more in assets and maintain personal data on participants, which can make them tempting targets for cyber-criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.
    • States that plan service providers should “conduct prudent annual risk assessments” and “[h]ave a reliable annual third party audit of security controls.”
    • Outlines what makes a prudent, well-documented cybersecurity program.
    • Again, ask your recordkeeper to provide a summary of how their program meets these standards – so your plan committee can be aware of that and document it for their minutes.
  3. Online Security Tips for Retirement Plan Participants
    • I would consider having your recordkeeper send tip sheet to plan participants asap.
  4. DOL Press Release

DOL Issued FAQs and Four Model COBRAs Yesterday – Take Action Right Now

Yesterday (April 7), the Department of Labor issued a series of frequently asked questions (“FAQs”) regarding the COBRA provisions of the American Rescue Plan of 2021 (“ARP”) – along with four model COBRA notices.  The FAQs clarify a number of issues.  Employers need to take action right now.

You might recall that on March 11, 2021, President Biden signed the ARP, which subsidizes the full COBRA premium for certain individuals for periods of coverage from April 1, 2021 through September 30, 2021.  To qualify for this free COBRA, individuals must: (1) have a COBRA-qualifying event that is a reduction in hours or an involuntary termination of employment; (2) elect COBRA coverage; (3) not be eligible for Medicare; and (4) not be eligible for coverage under any other group health plan (e.g., their new employer’s plan or their spouse’s plan).  As discussed in our March 15th blog post, this free coverage is also available to qualifying individuals who already lost coverage and who could have had COBRA coverage during the period from April 1, 2021 to September 30, 2021 (“Expired COBRA Participants”).  Expired COBRA Participants likely include individuals who lost coverage going all the way back to November 2019.

The ARP also imposes new related notice obligations and deadlines on employers.  The model notices issued yesterday are intended to help employers meet their obligations.

You might also recall that in late February, before the ARP, the Department of Labor released EBSA Disaster Relief Notice 2021-01 (“Notice 2021-01”), which extended (among other things) the deadlines for individuals to elect COBRA and pay for COBRA – by essentially giving every COBRA qualified beneficiary their own one-year period to make such an election or payment.  And that notice also has different notice obligations.

All of these rules, requirements, and notices make all of this way too complicated right now.  The following is an attempt to provide a quick summary and some recommendations:

  1. Employees Have One Year to Elect and Pay for COBRA

Notice 2021-01 provides disaster-related relief that extends, among other things, the deadline for qualified beneficiaries to elect and pay for COBRA.  Normally, qualified beneficiaries generally have 60 days to elect COBRA coverage.  For the period beginning March 1, 2020 through the end of the National Emergency (which is ongoing and we have no idea when it will end), Notice 2021-01 disregards the normal 60-day election period, and gives qualified beneficiaries until the earlier of (a) one year from the date they would normally have to elect COBRA, or (b) 60 days after the announced end of the National Emergency (the end of the “Outbreak Period”).  For example, if a qualified beneficiary would have been required to make a COBRA election by March 1, 2020 (the end of the normal 60-day election period), Notice 2021-01 delays that requirement until February 28, 2021, which is the earlier of one year from March 1, 2020 or the end of the Outbreak Period.

This extension works the same way with the COBRA premium payment deadline – and certain other deadlines like the normal 30-day deadline (under HIPAA special enrollment) to notify a plan and elect coverage due to a marriage, birth, or adoption.

  1. You Should Notify Affected Individuals of the One-Year COBRA Extension

For any individual who could benefit from the one-year extension described above, Notice 2021-01 states that plan administrators may need to revise their previously-issued COBRA election notice that was given to the individual before the recent extension – so that affected individuals are aware of their rights.  Thus, you likely need to determine who lost coverage and qualified for COBRA on or after March 1, 2020 and determine who needs to be sent a revised/updated notice that explains the one-year extension.

You need to do the same thing for anyone who could benefit from the same extended deadline to pay their COBRA premiums.

On a related note, Notice 2021-01 also indicates that plans should consider ways to ensure that participants who are losing coverage under their group health plans are made aware of other coverage options that may be available to them, including the opportunity to obtain coverage through the Health Insurance Marketplace in their state.

  1. You Should Consider Sending a General Notice to All Participants Explaining the One-Year Extension

You should consider sending a general notice to all plan participants explaining the one-year extension under Notice 202101 – so that participants understand their rights as it relates to HIPAA special enrollment, COBRA, and claims and appeal deadlines (which also have the same one-year extension).  You likely do not know all of the potential HIPAA special enrollment events that your employees may have already experienced, or will experience, so a general notice would notify a broader group than the targeted COBRA notices mentioned above under #2.

  1. Free COBRA Applies to All Group Health Plans – Except FSAs

The FAQs issued yesterday confirm that the free COBRA applies to all group health plans (except FSAs), including excepted benefits (e.g., dental).

  1. For Those Losing Coverage Between April 1, 2021 – September 30, 2021, You Need to Give Them a Notice Regarding the Free COBRA

The ARP requires employers to send a general notice to all qualified beneficiaries who have a qualifying event that is a reduction in hours or an involuntary termination of employment from April 1, 2021 through September 30, 2021.  This notice may be provided separately or with the COBRA election notice following a COBRA qualifying event.  There are specific requirements regarding what the notice must contain.

The DOL provided a model election notice for this yesterday, which you can find here:

  1. You Need to Send A Notice by May 31, 2021 to Qualifying Individuals Who Had A COBRA Event Before April 1, 2021 – Including Expired COBRA Participants

As mentioned above, certain Expired COBRA Participants – who lost coverage prior to April 1, 2021 and who either did not elect COBRA when it was first offered or who elected COBRA but then dropped the coverage – are also entitled to the free COBRA provided by the ARP.  These Expired COBRA Participants must receive a notice of the extended COBRA election period informing them of this free coverage opportunity.

For anyone else who qualifies for the free COBRA and who had a qualifying event before April 1, 2021, they too must receive a notice of their right to the free COBRA.

The notice must be provided to these individuals by May 31, 2021.  These individuals then have 60 days after the notice is provided to elect the free COBRA.

The DOL also provided a model notice for this, which you can also find at

  1. Free COBRA Reimbursed Directly to the Employer

Individuals who qualify for the free COBRA coverage do not have to pay any of the COBRA premium for the period of coverage from April 1, 2021 through September 30, 2021.  The premium is reimbursed directly to the employer through a COBRA premium assistance credit.

  1. No One-Year Extension of Deadline to Elect Free COBRA

For the individuals described above under #6, as mentioned they have 60 days after receiving the required notice to elect free COBRA.  The guidance issued yesterday makes it clear that this 60-day deadline is a real 60-day deadline, i.e., the one-year extension described above under #1 does not extend the 60-day deadline to elect free COBRA under the ARP.

  1. Don’t Forget to Amend Your Plan for All of the Above

You likely need to amend your plan to reflect all of the above, i.e., the one-year extension and the free COBRA.  Also, please don’t forget that you likely need to amend your plan to provide that COVID vaccinations are provided free with no cost sharing.  We have seen several plans lately that amended their terms last year to reflect free COVID testing but have not yet been amended to reflect the required free COVID vaccine benefit.