Tech & Sourcing @ Morgan Lewis


The US Department of Labor (DOL) recently announced guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants on cybersecurity best practices. The guidance focuses on three areas: (1) tips for hiring a service provider; (2) cybersecurity program best practices; and (3) online security tips. In this post, we will focus on the DOL’s tips for plan sponsors and plan fiduciaries in selecting a service provider.

In selecting a service provider, a plan sponsor or plan fiduciary should consider the following:

  1. Reviewing the service provider’s information security standards, practices, policies, and audit reports. With respect to audit reports, note whether an outside (third party) auditor conducted the audit.
  2. Reviewing (or adding to the contract) provisions that give the plan sponsor or fiduciary the right to review audit results.
  3. Evaluating the service provider’s track record in the industry, including public information regarding security incidents, litigation and other legal proceedings relating to the service provider’s services.
  4. Asking the service provider whether it has experienced any past security breaches, the details of what happened, and the service provider’s response.
  5. Asking the service provider whether it maintains insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s own employees or contractors, and breaches caused by external threats, such as a third party hijacking a plan participants’ account).

The guidance also provides some key contract provisions to consider when entering into an agreement with a service provider:

  1. Provisions requiring that the service provider adhere to data security standards. Further, the contract should be reviewed for provisions that limit a service provider’s responsibility for security breaches.
  2. Provisions requiring that the service provider undergo an annual third party audit to determine compliance with its security policies and procedures.
  3. Provisions governing the use and sharing of confidential information.
  4. Provisions addressing what happens in the event that there is a cybersecurity breach (including how quickly the plan sponsor or fiduciary receives notification).
  5. Provisions requiring compliance with privacy and information security laws.
  6. Provisions requiring insurance coverage, including cyber liability and privacy breach insurance.

We encourage our readers to review the guidance for more information, including information on cybersecurity best practices. If you are a plan sponsor or plan fiduciary engaging a service provider, please be sure to get legal advice on the range of issues associated with cybersecurity provisions in service provider contracts. We at Morgan Lewis have helped many clients review the cybersecurity provisions of service provider contracts. Please contact the authors here or any Morgan Lewis lawyer for assistance in this space.