|

Concern rises over cyber attacks on suppliers

What CISOs Worry About in 2018

• 44% of respondents predict that a supplier will misuse or share confidential information with other third parties.
• 42% worry most about a supplier data breach.
• 60% responded that their concern about experiencing a data breach caused by a supplier had increased since last year, with 21% indicating that their concern had increased significantly.
• 51% felt that they were likely to have a data breach in the coming year resulting from a “failure to control third parties' use of our sensitive data.”
• 42% felt that “visibility into the sensitive data accessed & used by third parties” could drive improvement to the organization's cybersecurity posture.

Cybersecurity Considerations for Benefit Plans 1. Understand the data you are protecting.

• What specific data is needed by a service provider?
• How is the data is exchanged with the provider?
• Where is the data is stored?
• Who has access to the data?
• What data needs to be retained?

2. Keep an inventory of all benefit services provider relationships.

• Recordkeepers
• Fund managers
• Third-party administrators (TPAs)
• Custodians
• Actuaries
• Auditors
• Trustees
• Advisors
• Consultants
• Other specialists, including automatic rollover and portability service providers

3. Establish a framework for evaluating service providers' cybersecurity. HITRUST 4. Conduct provider assessments.

• Provider self-assessments and responses to your questions
• Independent audits (ex. – SOC 2)
• Third-party security services assessment
• Direct audits of providers

5. Incorporate evaluation & assessment approach into future procurement activities

• Include standard, cybersecurity questions in your RFPs, and into RFP scoring
• Incorporate security provisions into services agreements

Mike Goode RCH