![\"service](\"https:\/\/gtm.com\/business\/wp-content\/uploads\/2024\/09\/pexels-cottonbro-5474288.jpg\")
<\/p>\n<\/p>\n
To help employers prudently select and monitor their service providers, the U.S. Department of Labor’s Employee Benefits Security Administration has prepared this publication regarding using service providers that follow strong cybersecurity practices.<\/p>\n
Employers often rely on service providers to maintain records, keep data confidential, and secure accounts. They should use service providers that follow strong cybersecurity practices.<\/p>\n
Read about GTM’s commitment to data security<\/a>.<\/p>\n 1.<\/strong> Ask about the service provider\u2019s information security standards, practices, policies, and audit results and compare them to the industry standards adopted by other institutions.<\/p>\n 2.<\/strong> Ask the service provider how it validates its practices and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standard.<\/p>\n 3.<\/strong> Evaluate the service provider\u2019s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to the vendor\u2019s services.<\/p>\n 4.<\/strong> Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.<\/p>\n 5.<\/strong> Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches (including breaches caused by internal threats, such as misconduct by the service provider\u2019s employees or contractors, and breaches caused by external threats, such as a third party hijacking a client’s account).<\/p>\n 6.<\/strong> When you contract with a service provider, ensure that the contract requires ongoing compliance with cybersecurity and information security standards \u2013 and beware of contract provisions that limit the service provider\u2019s responsibility for IT security breaches. Also, try to include terms in the contract that would enhance cybersecurity protection, such as:<\/p>\n The contract should require the service provider to annually obtain a third-party audit to determine compliance with information security policies and procedures.<\/p>\n The contract should spell out the service provider\u2019s obligation to keep private information private, prevent the use or disclosure of confidential information without written permission, and meet a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification, or misuse.<\/p>\n The contract should identify how quickly you would be notified of any cyber incident or data breach. It should also ensure the service provider\u2019s cooperation in investigating and reasonably addressing the cause of the breach.<\/p>\n The contract should specify the service provider\u2019s obligations to comply with all applicable federal, state, and local laws, rules, regulations, directives, and other governmental requirements regarding the privacy, confidentiality, or security of participants\u2019 personal information.<\/p>\n You may want to require insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance<\/a>, and\/or fidelity bond\/blanket crime coverage. Be sure to understand the terms and limits of any coverage before relying upon it as protection from loss, including ensuring that the policy covers cybersecurity breaches and incidents involving the plan.<\/p>\n Employee Benefits Security Administration<\/em> Security is integral to our operations. It\u2019s at the core of what we do with multiple layers of protection embedded into our products, processes, and infrastructure.<\/p>\n\n
Information Security Reporting<\/h2>\n
Clear Provisions on the Use and Sharing of Information and Confidentiality<\/h3>\n
Notification of Cybersecurity Breaches<\/h3>\n
Compliance with Records Retention and Destruction, Privacy and Information Security Laws<\/h3>\n
Insurance<\/h3>\n
\nUNITED STATES DEPARTMENT OF LABOR<\/em><\/p>\nGTM’s Cybersecurity Practices<\/h2>\n