DOL Cybersecurity RFP

Many organizations do not have the internal resources to evaluate cybersecurity firms objectively. The work sits at the intersection of ERISA responsibilities, vendor oversight, and technical cybersecurity requirements.

Culpepper RFP helps you run a structured evaluation process so you can select the right firm with clear documentation.

What We Do

Culpepper RFP assists plan sponsors in evaluating cybersecurity consultants to complete an audit aligned with DOL guidance. We bring experience across DOL expectations, ERISA context, and cybersecurity considerations so you can compare firms consistently and make a well-supported decision.

Why This Evaluation Can Feel Difficult

Cybersecurity audits are technical, and the stakes feel high. It is not always obvious what questions to ask, how to compare proposals, or how to document the rationale in a way that makes sense later to a committee, counsel, or leadership.

The DOL Best Practices

The DOL best practices cover areas that sponsors and service providers are expected to take seriously, including:

• A formal, well-documented cybersecurity program
• Prudent risk assessments
• A reliable annual third-party audit of security controls
• Clear security roles and responsibilities
• Strong access control procedures
• Appropriate security reviews for cloud or third-party managed data and systems
• Periodic cybersecurity awareness training
• A secure system development life cycle (SDLC) program
• Business resiliency planning: business continuity, disaster recovery, incident response
• Encryption of sensitive data, stored and in transit
• Strong technical controls aligned with best practices
• Appropriate response to past cybersecurity incidents

DOL Guidance Documents

• Cybersecurity Program "Best Practices"
• "Tips" to help plan sponsors and fiduciaries select service providers
• "Online Security Tips" for plan participants and beneficiaries