DOL Issues Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Recordkeepers, Plan Participants

Morgan Lewis - Tech & Sourcing

Morgan Lewis - Tech & Sourcing

The US Department of Labor (DOL) recently announced guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants on cybersecurity best practices. The guidance focuses on three areas: (1) tips for hiring a service provider; (2) cybersecurity program best practices; and (3) online security tips. In this post, we will focus on the DOL’s tips for plan sponsors and plan fiduciaries in selecting a service provider.

In selecting a service provider, a plan sponsor or plan fiduciary should consider the following:

  1. Reviewing the service provider’s information security standards, practices, policies, and audit reports. With respect to audit reports, note whether an outside (third party) auditor conducted the audit.
  2. Reviewing (or adding to the contract) provisions that give the plan sponsor or fiduciary the right to review audit results.
  3. Evaluating the service provider’s track record in the industry, including public information regarding security incidents, litigation and other legal proceedings relating to the service provider’s services.
  4. Asking the service provider whether it has experienced any past security breaches, the details of what happened, and the service provider’s response.
  5. Asking the service provider whether it maintains insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account).

The guidance also provides some key contract provisions to consider when entering into an agreement with a service provider:

  1. Provisions requiring that the service provider adhere to data security standards. Further, the contract should be reviewed for provisions that limit a service provider’s responsibility for security breaches.
  2. Provisions requiring that the service provider undergo an annual third party audit to determine compliance with its security policies and procedures.
  3. Provisions governing the use and sharing of confidential information.
  4. Provisions addressing what happens in the event that there is a cybersecurity breach (including how quickly the plan sponsor or fiduciary receives notification).
  5. Provisions requiring compliance with privacy and information security laws.
  6. Provisions requiring insurance coverage, including cyber liability and privacy breach insurance.

We encourage our readers to review the guidance for more information, including information on cybersecurity best practices. If you are a plan sponsor or plan fiduciary engaging a service provider, please be sure to get legal advice on the range of issues associated with cybersecurity provisions in service provider contracts. 

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis - Tech & Sourcing | Attorney Advertising

Written by:

Morgan Lewis - Tech & Sourcing

Morgan Lewis - Tech & Sourcing on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.