Author: Matt Hyre
Chief Technology Officer
Companies are accountable for the safety and confidentiality of their client data and employee information. This is a difficult task that’s becoming increasingly costly. Why? Hackers continue to develop sophisticated ways to evade even the most advanced cybersecurity technologies. If plan sponsors have hired a third-party administrator (TPA) to manage sensitive information, they might not have evaluated the security measures the TPA has in place. Yet, this is an extremely important aspect to consider in a provider.
To ensure participants’ data stays safe, it’s vital to know the processes service providers utilize for cybersecurity. It is tempting to assume that the data TPAs manage is secure. It’s also tempting to expect they have the adequate controls in place to protect the integrity, confidentiality, and availability of the data entrusted to them. However, this may not be the case.
Moreover, if there is a data breach at the TPA, the plan sponsors and plan fiduciaries are still responsible for their noncompliance. For that reason, it is crucial for plan sponsors to understand how their TPA is protecting sensitive data. They should know if their TPA is complying with state laws. They should also ensure they are protected if the TPA breaches these laws. Plan sponsors can assume it is their responsibility to make sure the TPA is thoroughly safeguarding their data.
Since this responsibility lies with plan sponsors, it’s important they address data security and the measures their TPA employs. This helps ensure data will not be compromised. The law firm Mintz recently wrote an article that outlines specific protections that should be addressed in TPA contracts. These are the recommended items:
In addition to the contract terms noted above, it is important to make sure the TPA has IT security, policies, and procedures in place. Additionally, cybersecurity technology should be employed to combat the most common threats, such as:
Businesses especially need to be aware of Advanced Persistent Threats, or APTs. These occur when an unauthorized user gains access to a system or network and remains there for an extended period of time. These threats are particularly dangerous since hackers have ongoing access to sensitive data.
The threats noted above are some of the most widely understood attack patterns. Therefore, with the right security software, these can be detected and prevented. TPAs should employ a comprehensive strategy to protect the integrity of their network, programs, and data from cyber attacks. Their security measures should involve the deployment of the latest technology to safeguard data from malware, ransomware, phishing, and application attacks. It is also important that they employ hardware-based measures, such as data encryption and offsite backup storage, to ensure that data is safe from malicious attacks by viruses and hackers.
Finally, in the event of cybercrime, a TPA should be prepared with cybersecurity insurance. Coverage includes security and privacy liability, regulatory action sublimit of liability, network interruption, cyber extortion, media content, and event management.
While cybersecurity may not be plan sponsors’ most pressing issue, it’s important for them to protect themselves and their participants from cyber threats. Thus, it’s important to choose a TPA that is continuously deploying the latest technologies to ensure the integrity, confidentiality, and availability of information.