Concern rises over cyber attacks on suppliers

What CISOs Worry About in 2018

• 44% of respondents predict that a supplier will misuse orshare confidential information with other third parties.
• 42% worry most about a supplier data breach.
• 60% responded that their concern about experiencing a databreach caused by a supplier had increased since last year, with 21%indicating that their concern had increased significantly.
• 51% felt that they were likely to have a data breach in thecoming year resulting from a “failure to control third parties' useof our sensitive data.”
• 42% felt that “visibility into the sensitive data accessed& used by third parties” could drive improvement to theorganization's cybersecurity posture.

Cybersecurity Considerations for Benefit Plans1. Understand the data you are protecting.

• What specific data is needed by a service provider?
• How is the data is exchanged with the provider?
• Where is the data is stored?
• Who has access to the data?
• What data needs to be retained?

2. Keep an inventory of all benefit servicesprovider relationships.

• Recordkeepers
• Fund managers
• Third-party administrators (TPAs)
• Custodians
• Actuaries
• Auditors
• Trustees
• Advisors
• Consultants
• Other specialists, including automatic rollover and portabilityservice providers

3. Establish a framework for evaluatingservice providers' cybersecurity.HITRUST4. Conduct providerassessments.

• Provider self-assessments and responses to your questions
• Independent audits (ex. – SOC 2)
• Third-party security services assessment
• Direct audits of providers

5. Incorporate evaluation & assessment approach intofuture procurement activities

• Include standard, cybersecurity questions in your RFPs, andinto RFP scoring
• Incorporate security provisions into services agreements

MikeGoodeRCH