Article
Employers that sponsor employee benefit plans (“EBP”) must deal with the danger of using third-party providers. But assessing vendors’ risks and interpreting their severity is challenging because breaches of vendors’ information systems can happen anytime.
Ultimately, plan administrators and benefit plan committees will bear the brunt of the consequences for getting it wrong.
Cybersecurity is Not an IT Problem Alone
The responsibility for ensuring the safety of EBP participants’ data and monetary assets has shifted from the computer department to the human resources suite.
HR managers face a two-part challenge. The first is the need to have a working knowledge of the risks facing their EBPs from internal sources and service providers. Second is the capability to detect any data security intrusions that strike plan vendors as they occur.
Risk Assessment
Risk assessment is a crucial process that plays a fundamental role in various aspects of the fiduciary role, from benefit plan choices to service provider selection. It involves systematically identifying, evaluating, and prioritizing potential risks that exist inside the enterprise as well as those sourced by third parties.
The primary objectives of an EBP risk assessment are to gain a comprehensive understanding of the potential adverse outcomes that may arise and to ensure compliance with regulatory demands. A well-executed risk assessment empowers boards of directors and human resources executives to navigate uncertainty with prudence and confidence, fostering resilience and informed decision-making.
Vendor Tracking
Vendor tracking refers to the process of monitoring and managing relationships with plan vendors. It involves keeping a close eye on the performance and data security of their interactions with an employer and a benefit plan’s participants.
Achieving a high-level of oversight is challenging due to embedded technologies like artificial intelligence that can screen a plan sponsor’s view of a third-party’s cybersecurity events.
The U.S. Department of Labor expects employers to assess the safety of their employee benefit plan service providers’ data systems. Yet when asked to respond to benefit plan committees’ questionnaires, most vendors provide very few relevant details.
The antidote to that dilemma is a tracking capability controlled by human resources, that uses AI to interrogate service providers’ systems without their involvement or awareness like that found in Cyber-ProtectRC.
Where We’re Headed
Using technology tools to monitor EBP vendors is key to executing the data security discipline properly. Ultimately, plan administrators and benefit plan committees will bear the brunt of the consequences for getting it wrong.
