Terms to Include in a Contract with a Cybersecurity Service Provider

Q. What are some terms to include in a contract with a cybersecurity service provider?

A. Guidance that the Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) issued in April 2021 offers tips on terms to include in a contract with a cybersecurity service provider.  

The DOL suggests include in the contract terms that would enhance cybersecurity protection such as those concerning the following.  

• Information Security Reporting. Require the service provider to obtain a third-party audit annually to determine compliance with information security policies and procedures.
• Clear Provisions on the Use and Sharing of Information and Confidentiality. Spell out the service provider’s obligation to keep private information private, prevent the use or disclosure of confidential information without written permission, and meet a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification or misuse. 
• Notification of Cybersecurity Breaches. Identify how quickly the service provider will provide notification of any cyber incident or data breach, and ensure the service provider’s cooperation to investigate and reasonably address its cause. 
• Compliance with Laws Concerning Records Retention and Destruction, Privacy and Information Security. Specify the service provider’s obligations to meet all applicable federal, state and local laws, rules, regulations, directives and other governmental requirements pertaining to the privacy, confidentiality, or security of participants’ personal information. 
• Insurance. Consider requiring insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and/or fidelity bond/blanket crime coverage.