Is Your TPA Prepared to Protect Data?

Author: Matt Hyre

Chief Technology Officer

Companies are accountable for the safety and confidentiality of their client data and employee information. This is a difficult task that’s becoming increasingly costly. Why? Hackers continue to develop sophisticated ways to evade even the most advanced cybersecurity technologies.  If plan sponsors have hired a third-party administrator (TPA) to manage sensitive information, they might not have evaluated the security measures the TPA has in place. Yet, this is an extremely important aspect to consider in a provider.

Who is Responsible?

To ensure participants’ data stays safe, it’s vital to know the processes service providers utilize for cybersecurity. It is tempting to assume that the data TPAs manage is secure. It’s also tempting to expect they have the adequate controls in place to protect the integrity, confidentiality, and availability of the data entrusted to them. However, this may not be the case.

Moreover, if there is a data breach at the TPA, the plan sponsors and plan fiduciaries are still responsible for their noncompliance. For that reason, it is crucial for plan sponsors to understand how their TPA is protecting sensitive data. They should know if their TPA is complying with state laws. They should also ensure they are protected if the TPA breaches these laws. Plan sponsors can assume it is their responsibility to make sure the TPA is thoroughly safeguarding their data.

Cybersecurity Issues to Consider When Hiring a TPA

Since this responsibility lies with plan sponsors, it’s important they address data security and the measures their TPA employs. This helps ensure data will not be compromised. The law firm Mintz recently wrote an article that outlines specific protections that should be addressed in TPA contracts. These are the recommended items: 

  • The TPA should maintain a comprehensive, written security program that contains administrative, technical, and physical safeguards based on accepted industry practices.
  • If any data is lost or stolen under the TPA’s watch, the TPA should contact the employer immediately and provide a remediation plan that complies with all federal and state laws relating to data breaches, whether the laws apply to the TPA or to the employer.
  • The TPA should bear all expenses for security breach mitigation and should compensate the employer for any loss or theft of the employer’s data.
  • The contract should address transfer, storage, retention and destruction of data.
  • Participant data should be accessible only by the TPA’s trained personnel and used only to perform the contracted services.
  • Any subcontractors must be bound by the same standards as the TPA.
  • The TPA should have a robust business continuity and disaster recovery plan covering the employer’s data.
  • The employer should reserve rights to audit the TPA’s practices.
  • The agreement term should be limited, so that the employer can renegotiate cybersecurity provisions as rules evolve and new threats emerge.

Most Common Types of Threats

In addition to the contract terms noted above, it is important to make sure the TPA has IT security, policies, and procedures in place. Additionally, cybersecurity technology should be employed to combat the most common threats, such as:

  • Phishing
  • Malware
  • Distributed Denial of Service
  • Password Attacks
  • Internet of Things (IoT) or Algorithm Manipulation
  • Ransomware

Businesses especially need to be aware of Advanced Persistent Threats, or APTs. These occur when an unauthorized user gains access to a system or network and remains there for an extended period of time. These threats are particularly dangerous since hackers have ongoing access to sensitive data.

The threats noted above are some of the most widely understood attack patterns. Therefore, with the right security software, these can be detected and prevented.  TPAs should employ a comprehensive strategy to protect the integrity of their network, programs, and data from cyber attacks. Their security measures should involve the deployment of the latest technology to safeguard data from malware, ransomware, phishing, and application attacks. It is also important that they employ hardware-based measures, such as data encryption and offsite backup storage, to ensure that data is safe from malicious attacks by viruses and hackers.

Finally, in the event of cybercrime, a TPA should be prepared with cybersecurity insurance. Coverage includes security and privacy liability, regulatory action sublimit of liability, network interruption, cyber extortion, media content, and event management.

While cybersecurity may not be plan sponsors’ most pressing issue, it’s important for them to protect themselves and their participants from cyber threats. Thus, it’s important to choose a TPA that is continuously deploying the latest technologies to ensure the integrity, confidentiality, and availability of information.

Interested in how Goldleaf Partners protects data? Request more info here and we can send you more information on our data security systems, policies, and procedures.