While data privacy has become a major concern for organizations with respect to their core business operations, benefit plans can fall outside their focus. The sensitive nature of information stored (SSNs, DOBs, financial and medical information, bank account details and beneficiary information), large amounts of money involved and prevalence of sharing data with third-party vendors makes benefit plan data particularly alluring to cyberhackers.
In a recent International Foundation member webcast, Managing Cybersecurity Risks in Benefit Plan Administration, Kristen Mathews and Robert Projansky of Proskauer Rose LLP shared a list of proactive actions employers and plans can take to manage risk and who should manage each. Spoiler alert—Placing all of the responsibility solely on your technology team was not recommended.
Throughout the webcast, Projansky and Mathews shared tips and very compelling examples of “this could happen to you.” A common theme shined through—Cybersecurity is everyone’s responsibility. It’s important to have a plan and a well-trained team, both internally and with your vendors.
Internal Team—Who is responsible for each part of strategy implementation?
- Staffing—Very clearly identify personnel responsible for strategy implementation.
- Train staff and participants—Make sure everyone who is handling or has access to data is trained. Train participants, too. Make sure your SPD includes language about password security.
- Have an incident response team and written plan, in advance and updated regularly.
- Make sure your team is comprehensive, including IT, information security, legal, PR, HR, risk, compliance, etc.
- Have a data breach response plan and team in place before you need to respond.
- Create a response plan to act as a “playbook” during a breach response.
- Retain incident response vendors in advance with negotiated terms and prices. You will likely need outside help in the event of a data breach.
- Use simulation exercises to prepare and to find needed changes to your plan.
[Related: Data Breaches: Be Ready!—Benefit Bits Video]
Vendor Management—Your vendor’s risks are your risks. Do you know how your vendors are handling your data?
- View every partner that has access to or receives data from your company as a potential gateway for hackers.
- Negotiate contracts with data protection in mind.
- Determine whether each vendor is adequately protecting your data using a vendor security assessment questionnaire and reviewing results of independent evaluations.
- Ask the right questions—and ask a lot of them! Mathews offered the following list of factors to consider as you start to build your comprehensive list of questions:
- Elements of cybersecurity program
- Limitations on use of data
- How is data maintained and protected?
- How are physical assets protected?
- Is data encrypted at rest, in transit, on devices?
- What responsibility/liability/reporting will vendor agree to contractually?
- Internal and external processes to assess cybersecurity
- Processes around subcontracting
[Related: How to Avoid Pharmacy Fraud]
Cybersecurity is an ongoing effort that must evolve along with rapidly changing laws in the area. From your internal teams to your vendors to your plan participants, it is critical to know each individual’s role in keeping benefits data protected. Having an understanding of the risk and advance planning can help to avoid challenging issues in the future.
Ann Godsell, CEBS
Director, Social Media and Content Marketing at the International Foundation