Employee Benefits Security Administrations Cybersecurity Guidance Part I: Hiring a Service Provider

Part one of a three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

Nearly a year ago, in April 2021, the Department of Labor’s (DOL) Employee Benefits Security Administrations (EBSA) announced cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act of 1974 (ERISA). The guidance includes best practices for maintaining cybersecurity and tips for protecting workers’ benefits for plan sponsors, plan fiduciaries, record keepers, and plan participants.

As noted in the release, the guidance is provided under three forms:

  1. Tips for hiring a service provider – To help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices as required by ERISA

  2. Cybersecurity program best practices – To help plan fiduciaries and record-keepers in their responsibilities for managing cybersecurity risks

  3. Online security tips – To help participants and beneficiaries reduce the risk of fraud and loss when checking their retirement accounts online.


Tips for hiring a service provider

Business owners often rely on other service providers to maintain plan records and keep participant data confidential and plan accounts secure. And, if the myriad of data breaches and security incidents have taught us anything, it is that we are only as strong as our weakest link. Therefore, to satisfy ERISA guidance and secure confidential data, it is critical that plan sponsors use service providers with stringent cybersecurity practices. The DOL recommends the following:

  1. Ask about the service provider’s information security standards, practices and policies, and audit results, and compare them to the industry standards adopted by other financial institutions. Ideally the service provider follows a recognized standard for information security and uses an outside (third-party) auditor to review and validate their cybersecurity practices.

  2. Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented.

  3. Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to vendor’s services.

  4. Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.

  5. Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.

  6. When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards—and be wary of contract provisions that limit the service provider’s responsibility for IT security breaches..


The first and last of the six tips are particularly noteworthy.

  • The first tip notes: “Ideally the service provider follows a recognized standard for information security and uses an outside (third-party) auditor to review and validate their cybersecurity practices.” This is the most critical tip. A credible service provider should be able to provide a single report issued by an independent auditor (most commonly a “SOC” report) that encompasses the other five tips. The report should include information on the service providers’ data security standards, practices, and policies, and the related audit results. It should disclose recent security incidents, breaches, and whether or not the service provider uses insurance as one of its risk mitigation mechanisms (hopefully they aren’t relying strictly on insurance to mitigate these risks).”
  • According to tip six: “When you contract with a service provider, make sure that the contract requires ongoing compliance with cybersecurity and information security standards …” This tip ensures your service provider will continue to adhere to cybersecurity compliance and best practices, and continue to undergo independent audits of these requirements. As such, your service provider should be incentivized, if not required, to be vigilant of evolving cybersecurity threats and changes in best practices. In our engagements, HBK Risk Advisory Services regularly stresses the importance of third-party risk management as specified by this point of DOL guidance.

While the DOL guidance provides tips for hiring a service provider, your responsibility for managing vendor risk doesn’t stop there. It remains your responsibility to regularly assess and evaluate that service provider. Technology and cyber threats are constantly evolving, and so should your business’s and your service providers’ practices. Assessing a firm at engagement doesn’t satisfy the need to continually improve and adapt to the evolving cybersecurity landscape.

We recommend that to meet the needs of this guidance you establish a third-party risk management program. The program will set policies and procedures for managing third-party providers from pre-hire evaluation, contracting, and on-boarding, throughout their tenure as a service provider, and upon termination.

HBK Risk Advisory Services can help you design, implement and execute a third-party risk management program that meets compliance demands and manages the third-party risks unique to your organization. If you have any questions or concerns regarding this topic, please reach out to me at 724-934-5300 or email at mschiavone@hbkcpa.com.

Next: Third-party risk management is a component of “Cybersecurity Program Best Practice,” the subject of the next of our three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

About the Author(s)
Matthew joined HBK in early 2017 after spending four years working for Kearney and Company in Washington, DC as a consultant to the Department of Defense (DoD). Matt has thirteen years of extensive internal control experience within information technology and the financial reporting processes. He leads HBK’s Risk Advisory Services where he assists clients with System and Organization (SOC) 1 and SOC 2 readiness assessment and examination. Additionally, he helps clients assess the design, implementation, and effectiveness of cybersecurity controls and their ability to achieve industry best practices and security frameworks such as ISO 27001. His client base includes Software-as-a-Service organizations, cybersecurity and incident response service organizations, and service organizations supporting the healthcare and financial services industries.
Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.

RECOMMENDED ARTICLES