Article
In its guidance for selecting service providers with strong cybersecurity practices, the U.S. Department of Labor’s Employee Benefits Security Administration (“EBSA”) requires plan sponsors to:
Due to the dynamic pace at which data security attacks occur, an audit does little to help track a vendor’s day-to-day data security effectiveness.
Pros and Cons of Audits that Vendors Use
When it comes to which vendors from whom it’s essential to obtain and review such audits, it all boils down to whether they handle or store Personally Identifiable Information (“PII”) or Personal Health information (“PHI”) of participants in your enterprise’s retirement, pension, or healthcare plan.
The EBSA did not specify a particular audit program, nor has it endorsed one since its guidance. Commonly used vendor audit programs and security management frameworks include these:
Service Organization Control 2 (“SOC 2”) audits
SOC 2 reports describe a service provider’s controls over security, availability, processing integrity, confidentiality, and privacy.
- SOC 2 pros: Due to flexibility in the controls it sets for examination, vendors can tailor the audit to suit their environment. A SOC 2 audit has emerged as the dominant program among defined contribution plan recordkeepers.
SOC 2 cons: This program does not invoke independent data security standards. It only tests whether a vendor adheres to its proprietary internal controls.
A SOC 2 Type 1 audit evaluates a service provider’s security program at a point in time—providing a snapshot of its current security posture.
A SOC 2 Type 2 audit evaluates a vendor’s security program over a longer term—usually six to 12 months. This audit is valuable because it provides a more comprehensive look at a vendor’s security landscape.
ISO 27001
This program is based on an internationally recognized standard that provides requirements for an enterprise’s information security management system. The International Organization for Standardization (“ISO”) develops and maintains it.
- ISO 27001 pros: It’s universally recognized and facilitates ongoing improvements in internal processes—a completed assessment results in a valued certification.
ISO 27001 cons: Employee benefit plan sponsors with advanced requirements for third-party assurance may require additional certification from vendors. It provides a management standard for managing security, not implementing security.
NIST Cybersecurity Framework
The National Institute of Standards and Technology (“NIST”) framework provides guidelines for managing and reducing cybersecurity risk. As the name of this U.S. Department of Commerce program introduced in 1901 implies, it maps a standardized approach that helps organizations meet the requirements of the Federal Information Security Management Act (“FISMA”).
- NIST pros: When followed, NIST helps organizations ensure appropriate security controls are in place. It lays out a plan to help organizations comply with other regulations (such as HIPAA, SOX, and FISMA) and meet other frameworks (such as SOC 2 and HITRUST).
NIST cons: There is no certification from NIST regarding security, but there are some related assessments to show compliance (e.g., FISMA, MARS-E, Fedramp).
HITRUST
HITRUST is a comprehensive security and privacy program constructed for the healthcare industry. With HITRUST certification, security, privacy, and other regulatory factors attest to a vendor’s conformance to best practices.
- HITRUST pros: HITRUST is emerging from the healthcare industry sector as a recognized test of any vendor’s cybersecurity capabilities. Any organization can also use it for assurance. It’s a two-year certification with an interim assessment in between, so it’s not an annual event like a SOC audit. When a vendor becomes HITRUST certified, it receives a NIST certification letter.
HITRUST cons: The assessment cost is generally higher than a SOC audit. HITRUST audits also have a more significant number of defined requirements.
Filling the Assurance Gap
Due to the dynamic pace at which data security attacks occur, an audit does little to help track a vendor’s day-to-day data security effectiveness. What’s needed is the ability to interrogate a service provider’s computer network traffic on the fly and detect problems as they occur, thereby warning an employer of a possible compromise of its benefit plans’ PII or PHI.
Cyber-ProtectRC provides a unique combination of risk assessment and real-time tracking of service providers’ IT systems. Cyber-Protect RC detects if service providers’ security procedures are working. It fills the gap left behind by the interval between vendors’ external audits and provides confident assurance to benefit plan fiduciaries.
