As a benefits professional, it may seem as though you’re safely behind the ‘front lines’ of the cyber conflict zone. It may surprise you to learn that your actions – or inactions – could result in your company and its employees becoming ‘collateral damage’ in a cyberattack directed at one of your benefit services providers.
To minimize your risk, you’ll need to understand the cybersecurity landscape, and ensure that discipline is applied to the process of evaluating, selecting and retaining benefit services providers with access to your company’s critical data.
Concern Rises Over Cyber Attacks on Suppliers
Benefits professionals would be wise to heed the results from the Ponemon Institute’s study “What CISOs Worry About in 2018”. The study indicates rising concerns over cyberattacks on third parties, but alarmingly, also points to an overall lack of information, controls and preparedness when it comes to understanding the cybersecurity of third party vendor-suppliers.
Key findings from the Ponemon study:
The November 2016 ERISA Advisory Council report Cybersecurity Considerations for Benefit Plans focused specifically on the issues faced by pension and welfare benefits plans that fall under ERISA. The report raised the general awareness of cybersecurity threats and provided information to plan sponsors and fiduciaries on how to minimize risks associated with retirement benefit services providers.
Drawing upon the ERISA Advisory Council report and other sources, below are some general guidelines for how you should manage the cybersecurity dimensions of your benefit services provider relationships.
1. Understand the data you are protecting
Benefits plans typically contain detailed data about its participants, or personally identifiable information (“PII”). The PII includes names, dates of birth, social security numbers, addresses, emails, etc. Cyber attackers could use a benefit plan’s PII in a variety of nefarious ways, including accessing bank accounts, credit cards, or taking out loans in someone else's name.
Understanding the data also means understanding:
2. Keep an inventory of all benefit services provider relationships.
While this sounds obvious, the Ponemon Institute study noted that only 35 percent of companies had a list of the third parties that they were sharing data with! Encouragingly, the study also found that a program of vendor-supplier cybersecurity oversight could reduce the incidence of a breach from 66 percent to 46 percent, a decrease of 20 points.
Under ERISA, your list of benefit service providers could include:
Once this list of providers is compiled, it should be ranked from highest potential risk to lowest potential risk based on the sensitivity of the data each provider can access, and other risk factors.
3. Establish a framework for evaluating service providers’ cybersecurity
Most of the frameworks that have been identified coalesce around the National Institute of Standards and Technology (“NIST”) framework, developed by the U.S. Department of Commerce. Using this framework as a starting point, many in the retirement industry have begun to coalesce around industry-specific standards and frameworks, such as HITRUST.
While industry standards are being worked out, the Appendix of the ERISA Advisory Council report suggests that plans incorporate the following 14 general questions when contracting with and evaluating benefit services providers:
4. Conduct provider assessments
Once your framework is in place, you’ll need to assess your current providers. There are several approaches that you can take, each involving different degrees of time and cost:
5. Incorporate evaluation & assessment approach into future procurement activities
Whatever your approach, it’s abundantly clear that the effort put into understanding, monitoring and verifying your benefit services providers’ usage and handling of your company’s data could be the difference between keeping the data secure or becoming ‘collateral damage’ in a third party cyberattack.