Article
In today’s fast-paced digital landscape, where data breaches and cyber threats loom at every corner, monitoring all service providers that hold personally identifiable information (“PII”) or personal health information (“PHI”) of employee benefit plan participants has become an integral part of any benefit plan committee’s risk management strategy.
Cyber-ProtectRC is a mix of technology and procedures that elevate fiduciary performance to a higher level.
Data breach statistics have constantly pointed to third-party service providers being the most significant conduit for compromised PII and PHI. A new era in vendor monitoring has emerged to gain efficiency in the responsibility to oversee service providers.
Traditionally, many employers have relied on questionnaire-based assessments, and the System and Organization Controls (“SOC 2”) reports from CPA firms to evaluate their vendors’ cybersecurity posture. However, as cyber threats evolve and grow in sophistication, it has become evident that this single-point-in-time approach is inefficient and ineffective. That is especially true for employee benefit plans, which have increasingly become prime targets for cyber attackers.
Plan fiduciaries are responding to those challenges by adopting a more innovative and quantitative approach to evaluate the real-time security posture of the service providers they hire. That includes those businesses whose primary vendors outsource processing functions to subservice vendors.
Cyber-ProtectRC is a mix of technology and procedures that elevate fiduciary performance to a higher level. It goes beyond the basic activities published in the U.S. Department of Labor’s cybersecurity guidelines to provide real-time transparency of vendor’s computer systems.
The Limitations of Questionnaire-Based Assessments
Questionnaire-based assessments have long been a staple in the vendor evaluation process. While they may provide a snapshot of a vendor’s security practices at a specific moment, they fall short in several critical ways:
Subjectivity:
The effectiveness of questionnaire-based assessments heavily relies on the vendor’s willingness to disclose accurate information. Vendors may not always provide a transparent view of their security practices, leaving plan fiduciaries with a false sense of security.
Limited Scope:
Questionnaires tend to focus on specific, predefined areas of cybersecurity, missing potential vulnerabilities outside of these predefined categories.
Lack of Continuity:
The ever-evolving nature of cybersecurity means that a vendor’s security posture can change rapidly. A snapshot in time does not reflect the ongoing commitment to security practices.
The Inadequacy of SOC 2 Reports
Similarly, the SOC 2 report, while valuable in assessing controls and processes, is not a panacea for vendor monitoring. Notably, each defined contribution plan recordkeeper that has experienced a data security breach engaged in SOC 2 audits beforehand. As each case reveals, those audits have limitations, they are neither predictive of a vendor’s likelihood of an intrusion nor do they identify the cause or causes when they occur.
Static Assessment:
Like questionnaires, SOC 2 reports offer a point-in-time assessment, rendering them inadequate for evaluating a vendor’s real-time security posture.
Generalized Auditing Standards:
SOC 2 reports are not tailor-made for every vendor, and the scope of their evaluation may not be specific to the services a vendor provides to a retirement, pension, or healthcare plan.
Limited Scope:
SOC 2 reports are often limited to assessing financial controls and reporting, neglecting other crucial aspects of cybersecurity.
A New Approach: Smarter and Quantitative Monitoring
To combat the dynamic and evolving nature of cybersecurity risks, executives in charge of employee benefit plans must seek a more intelligent and quantitative approach to evaluate their vendors’ security posture continually. Here are some key strategies to consider:
Continuous Monitoring:
Adopt real-time monitoring solutions that provide a constant data stream on your vendor’s cybersecurity practices. This ongoing assessment helps identify vulnerabilities and incidents as they occur, allowing for a timely response.
Quantitative Metrics:
Utilize quantitative metrics and key performance indicators (“KPIs”) to objectively assess a vendor’s security posture. Metrics can include data on patch management, incident response times, and user access controls.
Third-Party Risk Management Platforms:
Invest in third-party risk management platforms that offer automated assessments, vulnerability scanning, and threat intelligence to provide a more comprehensive view of a vendor’s cybersecurity status.
Penetration Testing:
Regularly review the results of service providers’ penetration testing exercises to identify vulnerabilities and potential exploits in their systems, enabling proactive remediation.
Incident Response Testing:
Assess your vendor’s incident response capabilities through simulated exercises to ensure they can effectively mitigate security incidents.
Summary
A new paradigm in vendor monitoring has arisen in a world where cyber risks are constantly changing, and employee benefit plans are becoming more and more appealing targets for attackers. Traditional questionnaire-based evaluations and SOC 2 reports are insufficient for giving current information about a vendor’s security posture.
Plan fiduciaries must adopt a more intelligent and scientific approach to monitor service providers’ cybersecurity. This strategy enables enterprises to protect sensitive data, stay ahead of new threats, and ensure their providers are committed to upholding a solid security posture. Plan fiduciaries can improve their cybersecurity defenses and reduce the risks related to vendor relationships by employing continuous monitoring, quantifiable metrics, and rigorous testing.
