VIDEO

Every provider of services to employee benefit plans that has suffered a cybersecurity breach possessed an independent audit of its information systems policies and practices beforehand. Clearly, a need exists to uniformly predict the likelihood of a breach, which audits fall short of doing.

Vendor Monitoring Steps

It would be difficult to find a retirement plan recordkeeper that does not submit to an annual audit of its information systems by a CPA or a certification body. And every vendor that’s experienced a cybersecurity breach was audited beforehand.

Many of those events were caused by loopholes in the recordkeeper’s subcontractor’s systems. These so-called subservice vendors are not included in a recordkeeper’s audit, leaving a large gap in coverage about which many employee benefit plan managers are unaware.

Point-in-time audits and certifications like those I’ve mentioned have limited effectiveness. They fall short of meeting the need. Due to the dynamic pace at which data security attacks occur, they do little to help track a vendor’s day-to-day data security effectiveness.

The ability to interrogate a service provider’s computer network traffic on the fly and detect problems as they occur is needed. Artificial intelligence is helping.

Roland Criss’ real-time vendor tracking capability uses AI and it helps warn employers of the likelihood of a data compromise. It examines sub-service vendors, too.