Tips for Hiring a Cybersecurity Service Provider

Q. What are some best practices for hiring a cybersecurity service provider?

Guidance that the Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) issued in April 2021 offers the following tips in order to help business owners and fiduciaries meet their responsibilities under ERISA to prudently select and monitor service providers. 

1. Ask the service provider: 

• about their information security standards, practices and policies, and audit results; 
• how it validates its practices;
• what levels of security standards it has met and implemented; and
• whether the service provider has experienced past security breaches, what happened, and how the service provider responded. 

2. Look for: 

• service providers that follow a recognized standard for information security and use an outside auditor to review and validate cybersecurity; and
• contract provisions that give you the right to review audit results demonstrating compliance with security standards. 

3. Compare the service provider’s standards to those other financial institutions follow. 

4. Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation and legal proceedings related to its services. 

5. Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches. 

6. Make sure that a contract with a service provider requires ongoing compliance with cybersecurity and information security standards.