518-373-4111
To help employers prudently select and monitor their service providers, the U.S. Department of Labor’s Employee Benefits Security Administration has prepared this publication regarding using service providers that follow strong cybersecurity practices.
Employers often rely on service providers to maintain records, keep data confidential, and secure accounts. They should use service providers that follow strong cybersecurity practices.
Read about GTM’s commitment to data security.
1. Ask about the service provider’s information security standards, practices, policies, and audit results and compare them to the industry standards adopted by other institutions.
- Look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate cybersecurity. You can have much more confidence in the service provider if the security of its systems and practices are backed by annual audit reports that verify information security, system/data availability, processing integrity, and data confidentiality.
2. Ask the service provider how it validates its practices and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.
3. Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to the vendor’s services.
4. Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
5. Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider’s employees or contractors, and breaches caused by external threats, such as a third party hijacking a client’s account).
6. When you contract with a service provider, ensure that the contract requires ongoing compliance with cybersecurity and information security standards – and beware of contract provisions that limit the service provider’s responsibility for IT security breaches. Also, try to include terms in the contract that would enhance cybersecurity protection, such as:
Information Security Reporting
The contract should require the service provider to annually obtain a third-party audit to determine compliance with information security policies and procedures.
Clear Provisions on the Use and Sharing of Information and Confidentiality
The contract should spell out the service provider’s obligation to keep private information private, prevent the use or disclosure of confidential information without written permission, and meet a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification, or misuse.
Notification of Cybersecurity Breaches
The contract should identify how quickly you would be notified of any cyber incident or data breach. It should also ensure the service provider’s cooperation in investigating and reasonably addressing the cause of the breach.
Compliance with Records Retention and Destruction, Privacy and Information Security Laws
The contract should specify the service provider’s obligations to comply with all applicable federal, state, and local laws, rules, regulations, directives, and other governmental requirements regarding the privacy, confidentiality, or security of participants’ personal information.
Insurance
You may want to require insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and/or fidelity bond/blanket crime coverage. Be sure to understand the terms and limits of any coverage before relying upon it as protection from loss, including ensuring that the policy covers cybersecurity breaches and incidents involving the plan.
Employee Benefits Security Administration
UNITED STATES DEPARTMENT OF LABOR
GTM’s Cybersecurity Practices
Security is integral to our operations. It’s at the core of what we do with multiple layers of protection embedded into our products, processes, and infrastructure.
Our state-of-the-art security measures are designed to safeguard your data from unauthorized access and cyber threats. We employ a robust combination of physical, administrative, and technical controls, including advanced encryption technologies, continuous network monitoring, and strict access controls, ensuring your data is protected around the clock.
GTM undergoes annual security assessments from the New York State Department of Financial Services and adheres to the National Institute of Standards and Technology (NIST) for cybersecurity standards. GTM also submits to several third-party audits, including SOC 1 audits, Nacha audits, and financial statement audits.
