Q. What are some best practices for hiring a cybersecurity service provider?
Guidance that the Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) issued in April 2021 offers the following tips in order to help business owners and fiduciaries meet their responsibilities under ERISA to prudently select and monitor service providers.
1. Ask the service provider:
- about their information security standards, practices and policies, and audit results;
- how it validates its practices;
- what levels of security standards it has met and implemented; and
- whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
2. Look for:
- service providers that follow a recognized standard for information security and use an outside auditor to review and validate cybersecurity; and
- contract provisions that give you the right to review audit results demonstrating compliance with security standards.
3. Compare the service provider’s standards to those other financial institutions follow.
4. Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation and legal proceedings related to its services.
5. Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
6. Make sure that a contract with a service provider requires ongoing compliance with cybersecurity and information security standards.
Recent Comments
Does the roth requirement for catch-up contributions for people who earned $145,000 apply to 457...
Hi Ed,
I really liked this article and I think you make a lot of sense. And I had no...
I believe there's a misstatement in that last quote - it should refer to governmental and...
Working with several medical providers as clients, I note that the high-end earners tend to push...
Congratulations to NTSAA for landing a good one. Nathan's breadth of experience and...