[et_pb_section fb_built=”1″ _builder_version=”4.0.6″ max_width=”100%”][et_pb_row _builder_version=”4.0.6″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.0.6″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″]<\/p>\n
Employers that sponsor employee benefit plans (“EBP”) must deal with the danger of using third-party providers. But assessing vendors’ risks and interpreting their severity is challenging because breaches of vendors’ information systems can happen anytime.<\/b>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.0.6″][et_pb_column type=”3_5″ _builder_version=”4.0.6″][et_pb_video src=”https:\/\/rolandcriss.com\/wp-content\/uploads\/2022\/10\/cyber-high-priority-website.mp4″ image_src=”https:\/\/rolandcriss.com\/wp-content\/uploads\/2022\/10\/Video-Thumbnail-Cybersecurity.png” play_icon_color=”rgba(0,0,0,0)” use_icon_font_size=”on” icon_font_size=”70px” thumbnail_overlay_color=”rgba(0,0,0,0.6)” _builder_version=”4.0.6″][\/et_pb_video][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.0.6″][et_pb_text admin_label=”Text – Caption” _builder_version=”4.0.6″]<\/p>\n
\n
\n
\n <\/p>\n
Ultimately, plan administrators and benefit plan committees will bear the brunt of the consequences for getting it wrong. The responsibility for ensuring the safety of EBP participants\u2019 data and monetary assets has shifted from the computer department to the human resources suite.<\/b><\/p>\n HR managers face a two-part challenge. The first is the need to have a working knowledge of the risks facing their EBPs from internal sources and service providers. Second is the capability to detect any data security intrusions that strike plan vendors as they occur.<\/b><\/p>\n Risk assessment is a crucial process that plays a fundamental role in various aspects of the fiduciary role, from benefit plan choices to service provider selection. It involves systematically identifying, evaluating, and prioritizing potential risks that exist inside the enterprise as well as those sourced by third parties.<\/b><\/p>\n The primary objectives of an EBP risk assessment are to gain a comprehensive understanding of the potential adverse outcomes that may arise and to ensure compliance with regulatory demands. A well-executed risk assessment empowers boards of directors and human resources executives to navigate uncertainty with prudence and confidence, fostering resilience and informed decision-making.<\/b><\/p>\n Vendor tracking refers to the process of monitoring and managing relationships with plan vendors. It involves keeping a close eye on the performance and data security of their interactions with an employer and a benefit plan’s participants.<\/b> Using technology tools to monitor EBP vendors is key to executing the data security discipline properly. Ultimately, plan administrators and benefit plan committees will bear the brunt of the consequences for getting it wrong. [\/et_pb_text][et_pb_button button_url=”https:\/\/rolandcriss.com\/contact-us\/” button_text=”Ask us” _builder_version=”4.0.6″ custom_button=”on” button_text_color=”#ffffff” button_bg_color=”#0c71c3″][\/et_pb_button][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" Continued monitoring of AI-enabled services begins with knowing where that technology exists in vendors\u2019 offerings and whether it’s accommodated in their data security policies and practices. This post provides ways to embrace AI in employee benefit plan cybersecurity oversight.<\/strong>\t\t<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"on","_et_pb_old_content":"
\n<\/b><\/b><\/em>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.0.6″][et_pb_column type=”4_4″ _builder_version=”4.0.6″][et_pb_text _builder_version=”4.0.6″]<\/p>\nCybersecurity is Not an IT Problem Alone<\/h2>\n
Risk Assessment<\/h2>\n
Vendor Tracking<\/h2>\n
\n
\nAchieving a high-level of oversight is challenging due to embedded technologies like artificial intelligence that can screen a plan sponsor’s view of a third-party’s cybersecurity events.<\/b>
\n
\nThe U.S. Department of Labor expects employers to assess the safety of their employee benefit plan service providers’ data systems. Yet when asked to respond to benefit plan committees’ questionnaires, most vendors provide very few relevant details. <\/b>
\n
\nThe antidote to that dilemma is a tracking capability controlled by human resources, that uses AI to interrogate service providers’ systems without their involvement or awareness like that found in Cyber-ProtectRC<\/sup><\/u><\/span><\/a>.<\/b> <\/p>\nWhere We’re Headed<\/h2>\n
\n<\/b><\/p>\nPractical Tip<\/h6>\r\nTo meet emerging cybersecurity standards as plan sponsors, employers need to understand some basic rules, specifically the Employee Retirement Income Security Act (\"ERISA\").<\/strong>\r\n\r\nThe U.S. Department of Labor (\"DOL\") is developing cybersecurity objectives for plan fiduciaries that form the basis for its plan audits. It's likely that the DOL's guidelines will add to the foundation on which data security related class action lawsuits are litigated.<\/strong>\r\n\r\n\r\nCybersecurity for benefit plans often falls outside the scope\r\nof cybersecurity planning for enterprisess at large.<\/strong><\/em>\r\n\u00a0\r\n\u00a0\r\nBenefit plans often maintain and share sensitive employee data and asset information across multiple unrelated entities as a part of the benefit plan administration process. This data and asset information should be specifically considered when implementing cybersecurity risk management measures.<\/strong>\r\n\r\nBecause benefit plans are regulated by ERISA, anyone who interacts with the plan should be particularly aware of the impact that breaches have on participants and beneficiaries and the associated rights and duties of plan fiduciaries arising under ERISA.<\/strong>\r\n\r\nEveryone who comes in contact with personally identifiable information (\u201cPII\u201d) has a role to play in protecting plan data.<\/strong>\r\n\r\nHere's where to start...<\/strong>\r\n\u00a0\r\n
Adopt a Cybersecurity Policy<\/h2>\r\nRegardless of a plan's size or complexity, the need for a cybersecurity policy statement<\/em> (\"CPS\") has escalated to the same level of importance as an investment policy statement. If your plan currently lacks a CPS, don't delay in adding one to the policies on which you rely to demonstrate that your plan is being managed prudently.<\/strong>\r\n
Conduct a Cybersecurity Risk Assessment<\/h2>\r\nInitiate an examination of your plan's current cybersecurity sensitivities, resourced either internally or by a qualified third-party expert. A legally defensible risk assessment will adhere to 18 discovery tasks. Scored on a scale of 1 to 100, an assessment offers a way to ensure continued improvement. Ask Roland|Criss for a list<\/em><\/a>.<\/strong>\r\n\r\n
Elevate Cybersecurity to a High Monitoring Priority<\/h2>\r\nThe agendas of benefit plan related committees should include a permanent entry for monitoring a security management plan<\/em>. Best practices for ERISA governance, risk management, and compliance (\"GRC\") systems now require evidence of robust monitoring. Using a technology application tailored for that purpose is a must. Ask us about FiduciaryGRC<\/a>\u2122<\/sup>, a state of the art cybersecurity solution that covers the entire risk spectrum; assessment, technology, and monitoring.<\/strong>\r\n\r\nFiduciaryGRC\u2122<\/sup> is a trademark of Roland|Criss.<\/span>","_et_gb_content_width":"","om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"sync_status":"","episode_type":"","audio_file":"","castos_file_data":"","podmotor_file_id":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","filesize_raw":"","date_recorded":"","explicit":"","block":"","footnotes":""},"categories":[7],"tags":[],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/posts\/38377"}],"collection":[{"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/comments?post=38377"}],"version-history":[{"count":15,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/posts\/38377\/revisions"}],"predecessor-version":[{"id":38425,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/posts\/38377\/revisions\/38425"}],"wp:attachment":[{"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/media?parent=38377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/categories?post=38377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/tags?post=38377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}