7 cybersecurity questions to help protect your clients’ data

To protect confidential information in these times of frequent cyberattacks, companies are investing more time and resources into making sure they have cybersecurity plans in place. You

can help protect your clients by ensuring their benefits providers have measures in place to protect information.

Some believe that limiting the number of providers companies work with is the answer, but that doesn’t address the actual issue. One provider with less-than-stellar security measures can put a company in much greater danger than three providers with industry-leading cybersecurity measures in place.

Here are seven questions to ask current or potential benefits providers about data security that will help minimize risk and better protect against cyberattacks:

1. Do you use Social Security numbers for member enrollment and identification?

Compromised Social Security numbers can cause a lot of problems for employees — more than any other piece of personally identifiable information (PII). It’s safer if you and providers use other ways to identify members, such as a unique member identification number.

2. How do you protect data in transit?

Data being moved — for example from one network to another, shared across the internet or being transferred to the cloud — is at risk of being intercepted. When sending or receiving sensitive data, it’s important that the benefits provider uses secure connections and encrypt all data.

Talk to them about what security protocols they use (Secure Sockets Layer – SSL – or Transport Layer Security – TLS) to see if they are using the most recent protocols. Ask if their protocols follow those recommended by the National Institute of Standards and Technology  (NIST). For example, those outlined in the Federal Information Processing Standards Publication (FIPS 140-2). 

3. How do you protect data at rest?

It’s not enough to protect data only when it’s moving; stored data needs to be protected as well. Are providers encrypting your stored data? What algorithms are they using to do so? Are they state-of-the-art? Are their systems protected by firewalls, anti-virus programs and intrusion-detection/prevention measures?

4. Who at your company has access to company data?

Make sure these employees are trained on security best practices and the importance of protecting PII. Also ask about internal measures in place to make sure employees who don’t need access can’t easily get it.

5. Are your policies in accordance with Sarbanes-Oxley and Gramm-Leach-Bliley?

These acts came about in response to corporate fraud in the financial services industry. While not explicitly about data security, some aspects touch on internal measures to protect consumer information. You’ll want to make sure what your provider has in place is compliant with these acts.

6. What other security standards and guidelines do you adhere to?

There are a number of security guidelines that exist in specific industries, along with state, national and international guidelines (e.g., ISO 27001). Talk to your providers and be sure that any industry and government-guidelines the company follows are also followed by them.

7. Do you use two-factor authentication for administrative log-ins?

The ability to add another level of security at log-in will decrease the risk of accounts being breached. Ask your provider if they have a dual-factor authentication option that includes confirmation of identity through an SMS text, app or push notification before allowing users access to their accounts.

By discussing these seven questions with any existing or potential benefits providers, you’ll help ensure you and your clients are working with partners who value protecting company information as much as you do.

Dennis Healy is a member of the ARAG® executive team. Dennis is a passionate advocate for legal insurance because he has seen firsthand how it helps people receive the protection and legal help they need. He has more than 25 years of insurance industry experience, with a primary focus on the sale of group voluntary benefit products to employer groups of all sizes through brokers, consultants and employee benefit exchanges.