To readers aware of the ongoing, intense media focus on cyberattacks, it should come as no surprise that multiple studies show that the frequency and sophistication of cyberattacks is increasing, rising dramatically in 2017.
As a benefits professional, it may seem as though you’re safely behind the ‘front lines’ of the cyber conflict zone. It may surprise you to learn that your actions – or inactions – could result in your company and its employees becoming ‘collateral damage’ in a cyberattack directed at one of your benefit services providers.
To minimize your risk, you’ll need to understand the cybersecurity landscape, and ensure that discipline is applied to the process of evaluating, selecting and retaining benefit services providers with access to your company’s critical data.
Concern Rises Over Cyber Attacks on Suppliers
Benefits professionals would be wise to heed the results from the Ponemon Institute’s study “What CISOs Worry About in 2018”. The study indicates rising concerns over cyberattacks on third parties, but alarmingly, also points to an overall lack of information, controls and preparedness when it comes to understanding the cybersecurity of third party vendor-suppliers.
Key findings from the Ponemon study:
- 44% of respondents predict that a supplier will misuse or share confidential information with other third parties.
- 42% worry most about a supplier data breach.
- 60% responded that their concern about experiencing a data breach caused by a supplier had increased since last year, with 21% indicating that their concern had increased significantly.
- 51% felt that they were likely to have a data breach in the coming year resulting from a “failure to control third parties’ use of our sensitive data.”
- 42% felt that “visibility into the sensitive data accessed & used by third parties” could drive improvement to the organization’s cybersecurity posture.
The November 2016 ERISA Advisory Council report Cybersecurity Considerations for Benefit Plans focused specifically on the issues faced by pension and welfare benefits plans that fall under ERISA. The report raised the general awareness of cybersecurity threats and provided information to plan sponsors and fiduciaries on how to minimize risks associated with retirement benefit services providers.
Drawing upon the ERISA Advisory Council report and other sources, below are some general guidelines for how you should manage the cybersecurity dimensions of your benefit services provider relationships.
1. Understand the data you are protecting
Benefits plans typically contain detailed data about its participants, or personally identifiable information (“PII”). The PII includes names, dates of birth, social security numbers, addresses, emails, etc. Cyber attackers could use a benefit plan’s PII in a variety of nefarious ways, including accessing bank accounts, credit cards, or taking out loans in someone else's name.
Understanding the data also means understanding:
- What specific data is needed by a service provider?
- How is the data is exchanged with the provider?
- Where is the data is stored?
- Who has access to the data?
- What data needs to be retained?
2. Keep an inventory of all benefit services provider relationships.
While this sounds obvious, the Ponemon Institute study noted that only 35 percent of companies had a list of the third parties that they were sharing data with! Encouragingly, the study also found that a program of vendor-supplier cybersecurity oversight could reduce the incidence of a breach from 66 percent to 46 percent, a decrease of 20 points.
Under ERISA, your list of benefit service providers could include:
- Recordkeepers
- Fund managers
- Third-party administrators (TPAs)
- Custodians
- Actuaries
- Auditors
- Trustees
- Advisors
- Consultants
- Other specialists, including automatic rollover and portability service providers
Once this list of providers is compiled, it should be ranked from highest potential risk to lowest potential risk based on the sensitivity of the data each provider can access, and other risk factors.
3. Establish a framework for evaluating service providers’ cybersecurity
Most of the frameworks that have been identified coalesce around the National Institute of Standards and Technology (“NIST”) framework, developed by the U.S. Department of Commerce. Using this framework as a starting point, many in the retirement industry have begun to coalesce around industry-specific standards and frameworks, such as HITRUST.
While industry standards are being worked out, the Appendix of the ERISA Advisory Council report suggests that plans incorporate the following 14 general questions when contracting with and evaluating benefit services providers:
4. Conduct provider assessments
Once your framework is in place, you’ll need to assess your current providers. There are several approaches that you can take, each involving different degrees of time and cost:
- Provider self-assessments and responses to your questions
- Independent audits (ex. – SOC 2)
- Third-party security services assessment
- Direct audits of providers
5. Incorporate evaluation & assessment approach into future procurement activities
- Include standard, cybersecurity questions in your RFPs, and into RFP scoring
- Incorporate security provisions into services agreements
Whatever your approach, it’s abundantly clear that the effort put into understanding, monitoring and verifying your benefit services providers’ usage and handling of your company’s data could be the difference between keeping the data secure or becoming ‘collateral damage’ in a third party cyberattack.