\n<\/b><\/b><\/em>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.0.6″][et_pb_column type=”4_4″ _builder_version=”4.0.6″][et_pb_text _builder_version=”4.0.6″]<\/p>\n
Data breach statistics have constantly pointed to third-party service providers being the most significant conduit for compromised PII and PHI. \u00a0A new era in vendor monitoring has emerged to gain efficiency in the responsibility to oversee service providers.<\/b><\/p>\n
Traditionally, many employers have relied on questionnaire-based assessments, and the System and Organization Controls (“SOC 2”) reports from CPA firms to evaluate their vendors’ cybersecurity posture. \u00a0However, as cyber threats evolve and grow in sophistication, it has become evident that this single-point-in-time approach is inefficient and ineffective. \u00a0That is especially true for employee benefit plans, which have increasingly become prime targets for cyber attackers.<\/b><\/p>\n
Plan fiduciaries are responding to those challenges by adopting a more innovative and quantitative approach to evaluate the real-time security posture of the service providers they hire.\u00a0 That includes those businesses whose primary vendors outsource processing functions to subservice vendors.<\/b><\/p>\n
Cyber-ProtectRC<\/sup><\/span><\/a><\/u> is a mix of technology and procedures that elevate fiduciary performance to a higher level.\u00a0\u00a0\u00a0 It goes beyond the basic activities published in the U.S. Department of Labor’s cybersecurity guidelines to provide real-time transparency of vendor’s computer systems.<\/b><\/p>\n Questionnaire-based assessments have long been a staple in the vendor evaluation process. \u00a0While they may provide a snapshot of a vendor’s security practices at a specific moment, they fall short in several critical ways:<\/b><\/p>\n Subjectivity:<\/b><\/b> <\/p>\n Limited Scope:<\/b><\/b> <\/p>\n Lack of Continuity:<\/b><\/b> <\/p>\n <\/b><\/b><\/p>\n Similarly, the SOC 2 report, while valuable in assessing controls and processes, is not a panacea for vendor monitoring. \u00a0Notably, each defined contribution plan recordkeeper that has experienced a data security breach engaged in SOC 2 audits beforehand.\u00a0 As each case reveals, those audits have limitations, they are neither predictive of a vendor’s likelihood of an intrusion nor do they identify the cause or causes when they occur.<\/b><\/p>\n Static Assessment:<\/b><\/b> <\/p>\n To combat the dynamic and evolving nature of cybersecurity risks, executives in charge of employee benefit plans must seek a more intelligent and quantitative approach to evaluate their vendors’ security posture continually. \u00a0Here are some key strategies to consider:<\/b><\/p>\n Continuous Monitoring:<\/b><\/b> Quantitative Metrics:<\/b><\/b> <\/p>\n A new paradigm in vendor monitoring has arisen in a world where cyber risks are constantly changing, and employee benefit plans are becoming more and more appealing targets for attackers. \u00a0Traditional questionnaire-based evaluations and SOC 2 reports are insufficient for giving current information about a vendor’s security posture.<\/b><\/p>\n Plan fiduciaries must adopt a more intelligent and scientific approach to monitor service providers’ cybersecurity.\u00a0 This strategy enables enterprises to protect sensitive data, stay ahead of new threats, and ensure their providers are committed to upholding a solid security posture.\u00a0 Plan fiduciaries can improve their cybersecurity defenses and reduce the risks related to vendor relationships by employing continuous monitoring, quantifiable metrics, and rigorous testing.<\/b><\/p>\n [\/et_pb_text][et_pb_button button_url=”https:\/\/rolandcriss.com\/contact-us\/” button_text=”Ask us” _builder_version=”4.0.6″ custom_button=”on” button_text_color=”#ffffff” button_bg_color=”#0c71c3″][\/et_pb_button][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" As cybersecurity threats have mounted, new strategies to ensure the safety of employee benefit plans have emerged. Serious limitations in the traditional methods used for assessing vendors’ data security capabilities confront executives responsible for retirement, pension, and healthcare plans.<\/strong>\t\t<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"on","_et_pb_old_content":"The Limitations of Questionnaire-Based Assessments<\/b><\/b><\/h3>\n<\/p>\n
\nThe effectiveness of questionnaire-based assessments heavily relies on the vendor’s willingness to disclose accurate information. \u00a0Vendors may not always provide a transparent view of their security practices, leaving plan fiduciaries with a false sense of security.<\/b><\/p>\n
\nQuestionnaires tend to focus on specific, predefined areas of cybersecurity, missing potential vulnerabilities outside of these predefined categories.<\/b><\/p>\n
\nThe ever-evolving nature of cybersecurity means that a vendor’s security posture can change rapidly. \u00a0A snapshot in time does not reflect the ongoing commitment to security practices.<\/b><\/p>\n<\/div>\nThe Inadequacy of SOC 2 Reports<\/h3>\n
\nLike questionnaires, SOC 2 reports offer a point-in-time assessment, rendering them inadequate for evaluating a vendor’s real-time security posture.<\/b>
\n
\nGeneralized Auditing Standards:<\/b><\/b>
\nSOC 2 reports are not tailor-made for every vendor, and the scope of their evaluation may not be specific to the services a vendor provides to a retirement, pension, or healthcare plan.<\/b>
\n
\nLimited Scope:<\/b><\/b>
\nSOC 2 reports are often limited to assessing financial controls and reporting, neglecting other crucial aspects of cybersecurity.<\/b><\/p>\n<\/div>\nA New Approach: Smarter and Quantitative Monitoring<\/b><\/b><\/h3>\n<\/p>\n
\n Adopt real-time monitoring solutions that provide a constant data stream on your vendor’s cybersecurity practices. \u00a0This ongoing assessment helps identify vulnerabilities and incidents as they occur, allowing for a timely response.<\/b>
\n<\/p>\n
\nUtilize quantitative metrics and key performance indicators (“KPIs”) to objectively assess a vendor’s security posture. \u00a0Metrics can include data on patch management, incident response times, and user access controls.<\/b>
\n
\nThird-Party Risk Management Platforms:<\/b><\/b>
\nInvest in third-party risk management platforms that offer automated assessments, vulnerability scanning, and threat intelligence to provide a more comprehensive view of a vendor’s cybersecurity status.<\/b>
\n
\nPenetration Testing:<\/b><\/b>
\nRegularly review the results of service providers’ penetration testing exercises to identify vulnerabilities and potential exploits in their systems, enabling proactive remediation.<\/b>
\n
\nIncident Response Testing:<\/b><\/b>
\nAssess your vendor’s incident response capabilities through simulated exercises to ensure they can effectively mitigate security incidents.<\/b><\/p>\n<\/div>\nSummary<\/b><\/b><\/h3>\n<\/p>\n
Practical Tip<\/h6>\r\nTo meet emerging cybersecurity standards as plan sponsors, employers need to understand some basic rules, specifically the Employee Retirement Income Security Act (\"ERISA\").<\/strong>\r\n\r\nThe U.S. Department of Labor (\"DOL\") is developing cybersecurity objectives for plan fiduciaries that form the basis for its plan audits. It's likely that the DOL's guidelines will add to the foundation on which data security related class action lawsuits are litigated.<\/strong>\r\n\r\n
![\"\"](\"https:\/\/rolandcriss.com\/wp-content\/uploads\/2020\/02\/Cybersecurity-Expert-300x143.jpg\")
\r\nCybersecurity for benefit plans often falls outside the scope\r\nof cybersecurity planning for enterprisess at large.<\/strong><\/em>\r\n\u00a0\r\n\u00a0\r\nBenefit plans often maintain and share sensitive employee data and asset information across multiple unrelated entities as a part of the benefit plan administration process. This data and asset information should be specifically considered when implementing cybersecurity risk management measures.<\/strong>\r\n\r\nBecause benefit plans are regulated by ERISA, anyone who interacts with the plan should be particularly aware of the impact that breaches have on participants and beneficiaries and the associated rights and duties of plan fiduciaries arising under ERISA.<\/strong>\r\n\r\nEveryone who comes in contact with personally identifiable information (\u201cPII\u201d) has a role to play in protecting plan data.<\/strong>\r\n\r\nHere's where to start...<\/strong>\r\n\u00a0\r\nAdopt a Cybersecurity Policy<\/h2>\r\nRegardless of a plan's size or complexity, the need for a cybersecurity policy statement<\/em> (\"CPS\") has escalated to the same level of importance as an investment policy statement. If your plan currently lacks a CPS, don't delay in adding one to the policies on which you rely to demonstrate that your plan is being managed prudently.<\/strong>\r\n
Conduct a Cybersecurity Risk Assessment<\/h2>\r\nInitiate an examination of your plan's current cybersecurity sensitivities, resourced either internally or by a qualified third-party expert. A legally defensible risk assessment will adhere to 18 discovery tasks. Scored on a scale of 1 to 100, an assessment offers a way to ensure continued improvement. Ask Roland|Criss for a list<\/em><\/a>.<\/strong>\r\n\r\n
Elevate Cybersecurity to a High Monitoring Priority<\/h2>\r\nThe agendas of benefit plan related committees should include a permanent entry for monitoring a security management plan<\/em>. Best practices for ERISA governance, risk management, and compliance (\"GRC\") systems now require evidence of robust monitoring. Using a technology application tailored for that purpose is a must. Ask us about FiduciaryGRC<\/a>\u2122<\/sup>, a state of the art cybersecurity solution that covers the entire risk spectrum; assessment, technology, and monitoring.<\/strong>\r\n\r\nFiduciaryGRC\u2122<\/sup> is a trademark of Roland|Criss.<\/span>","_et_gb_content_width":"","om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"sync_status":"","episode_type":"","audio_file":"","castos_file_data":"","podmotor_file_id":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","filesize_raw":"","date_recorded":"","explicit":"","block":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-38491","post","type-post","status-publish","format-standard","hentry","category-retirement-plans"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/posts\/38491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/comments?post=38491"}],"version-history":[{"count":50,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/posts\/38491\/revisions"}],"predecessor-version":[{"id":38683,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/posts\/38491\/revisions\/38683"}],"wp:attachment":[{"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/media?parent=38491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/categories?post=38491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/tags?post=38491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}