EMPLOYEE BENEFITS SECURITY ADMINISTRATION UNITED STATES DEPARTMENT OF LABOR
TIPS FOR HIRING A SERVICE PROVIDER WITH
STRONG CYBERSECURITY PRACTICES
As sponsors of 401(k) and other types of pension plans, business owners often rely on
other service providers to maintain plan records and keep participant data confidential
and plan accounts secure. Plan sponsors should use service providers that follow strong
cybersecurity practices.
To help business owners and fiduciaries meet their responsibilities under ERISA to prudently
select and monitor such service providers, we prepared the following tips for plan sponsors
of all sizes:
1. Ask about the service provider’s information security standards, practices and policies,
and audit results, and compare them to the industry standards adopted by other financial
institutions.
• Look for service providers that follow a recognized standard for information
security and use an outside (third-party) auditor to review and validate
cybersecurity. You can have much more confidence in the service provider if
the security of its systems and practices are backed by annual audit reports that
verify information security, system/data availability, processing integrity, and data
confidentiality.
2. Ask the service provider how it validates its practices, and what levels of security
standards it has met and implemented. Look for contract provisions that give you the
right to review audit results demonstrating compliance with the standard.
3. Evaluate the service provider’s track record in the industry, including public information
regarding information security incidents, other litigation, and legal proceedings related
to vendor’s services.
4. Ask whether the service provider has experienced past security breaches, what
happened, and how the service provider responded.
5. Find out if the service provider has any insurance policies that would cover losses
caused by cybersecurity and identity theft breaches (including breaches caused by
internal threats, such as misconduct by the service provider’s own employees or
contractors, and breaches caused by external threats, such as a third party hijacking a
plan participants’ account).
6. When you contract with a service provider, make sure that the contract requires
ongoing compliance with cybersecurity and information security standards – and
beware contract provisions that limit the service provider’s responsibility for IT security
breaches. Also, try to include terms in the contract that would enhance cybersecurity
protection for the Plan and its participants, such as:
• Information Security Reporting. The contract should require the service provider
to annually obtain a third-party audit to determine compliance with information
security policies and procedures.