2 min read

Department of Labor’s Employee Benefits Security Administration Guidelines for Hiring an IT Company

Department of Labor’s Employee Benefits Security Administration Guidelines for Hiring an IT Company

In today’s technology-driven business landscape, selecting the right IT company is crucial for the success and efficiency of any organization. To ensure service providers follow strong and up-to-date cybersecurity practices, the Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) provides guidelines that plan sponsors, plan fiduciaries, record keepers and plan participants should follow when hiring (reference). Here’s a comprehensive overview to help you navigate through the complexities of hiring an IT company in accordance with DOL standards.

Summary of DOL Guidelines

As a basic summary of the DOL guidelines, refer to these key questions when vetting an IT company. 

  1. What are the service providers’ security standards, practices, and policies?
  2. How does the provider validate and verify its practices? 
  3. What is the service provider’s track record in the industry? 
  4. Has the service provider experienced past breaches, and if so, how did they respond? What was the outcome?
  5. Does the service provider have insurance policies that cover losses if a breach occurs? 
  6. If you work with the provider, does their contract require ongoing compliance with cybersecurity and information security standards? This might include:
    1. Information Security Reporting
    2. Clear Provisions on the Use and Sharing of Information and Confidentiality
    3. Notification of Cybersecurity Breaches
    4. Compliance with Records Retention and Destruction, Privacy, and Information Security Laws
    5. Insurance

Verifying an IT Company

When it comes to hiring an IT company, you can follow a list of standards and recommendations, but without proper verification, how do you know that an IT company is who they say they are? 

Lucky for you, the world of cybersecurity has several verifications and certifications that managed IT service providers can complete to assess and prove their legitimacy. This includes certifications such as MSP Verify.

MSP Verify is an exclusive third-party audited certification through Cyber Verify. PK Tech is one of only 3% of MSPs worldwide that have successfully achieved this certification. Those MSPs with the Cyber Verify certification service both Small & Medium Businesses (SMB), mid-market, and enterprise clients, including organizations across many vertical markets, including financial services, banking, healthcare, education, legal, government, and more. 

In the verification process, it’s reasonable to ask your prospective IT company which certifications they may hold or inquire about specific certifications that are important to your industry.

Vetting Your Prospective IT Company 

By aligning your IT company selection process with the Department of Labor guidelines, you not only prioritize cybersecurity but also reduce the risk of legal and financial ramifications if and when a breach occurs. This approach ensures that your organization partners with an IT company that upholds the highest standards of cybersecurity and compliance. 

To read the full Department of Labor Guidelines release, click here
To get in touch with PK Tech, contact us here.

5 Tips for Hiring a Service Provider for Top Cybersecurity If You’re a TPA

5 Tips for Hiring a Service Provider for Top Cybersecurity If You’re a TPA

If you are a TPA managing sensitive financial information, cybersecurity should be at the top of your priority list. We live in a world of growing...

Read More
Things to Consider if You’re a Business Using a Micro IT Provider

Things to Consider if You’re a Business Using a Micro IT Provider

Like many small businesses, you’ve likely started out using a friend or family member, individual contractor, micro-sized IT provider, or depended on...

Read More
New Proposed SEC Cybersecurity Rules Includes 48-hour Breach Reporting Requirement

1 min read

New Proposed SEC Cybersecurity Rules Includes 48-hour Breach Reporting Requirement

Following increased enforcement in 2021, the SEC recently released its new cybersecurity rules on February 9, 2022 (reference). The rules are...

Read More