PEACE OF MIND OR SLEEPLESS NIGHTS: 6 QUESTIONS TO ASSESS CYBER RISK FOR PEOS

As the rate of digital transformation continues to accelerate across all industries, insufficient cybersecurity guardrails and policies remain a pressing threat to the insurance and benefits ecosystem. PEOs are attractive targets for cyberattacks because of the sensitive personal information they maintain.

Implementation of a robust cybersecurity program, including protecting sensitive data and safeguarding critical infrastructure, is a vital component of any organization’s operations and essential to preserving trust with customers and partners. One ransomware attack can undermine the financial stability of small-medium sized firms and impact their reputation in the industry. Your answer to the six questions below will help you understand your company’s risk profile and the urgency with which you need to act.

SIX QUESTIONS THAT DEFINE YOUR CYBER VULNERABILITY

Question 1: Do you have 24 x 7 x 365 cyber monitoring in place protecting your endpoints to prevent the risk of a cyber intrusion? Vulnerability scans and endpoint penetration tests are critical to understanding your risks. They should be run daily as part of your production cycle.  Today’s technology leverages AI to identify patterns of potential cyber intrusion and will isolate and control attempts made by increasing sophisticated malware. Priority: Very High

Question 2: What is your approach to file sharing and data ingestion for payroll, agent/broker data, and third-party interfaces? Most PEOs process hundreds of files monthly for payroll, COBRA, enrollment, FSAs/HSAs, workers’ comp, retirement, premium billing, payments, and insurance. Does your PEO mandate file transfer protocols (FTP) to centralize file delivery and inoculate any potential malware or ransomware? Have you implemented APIs to integrate data sharing through verified sources that are accessible through secure applications?

If FTP and APIs are in place, you have taken a key step towards controlling the quality of data entering your transaction processing systems. If you are primarily relying on Microsoft Excel sheets for transaction processing, you are operating at considerable risk of cyber intrusion. The risk has increased with remote work from home scenarios where personal use and business use may intersect. In addition to cyber concerns, you may find that you are not in compliance with PII and PHI data privacy if SSN’s and other info are being sent via Microsoft Excel and stored in databases in a non-encrypted format. Priority: High

Question 3: Have you implemented cyber hygiene steps such as frequent password changes, multi-factor authentication, stopped use of USB drives, and implemented VPN for secure access control for production systems? Th remote work model is part of the new way of work, but requires tightening policies to prevent personal practices from undermining corporate standards and policies. Passwords saved in the browser are often hacked allowing bad actors to access your systems. Malware or ransomware can be launched from programs stored in a USB drive. Production processing using unsecured networks is also easily hacked. Priority: High

Question 4: Do you understand the vulnerabilities of third-party applications and data transfer tools that you are using? Hackers use an approach called zero-day exploit when they have found a vulnerability before the software provider does or before the necessary patches are available to their customer base. Zero day refers to the fact that a software vendor or device vendor has zero days to fix a flaw that malicious actors have gained access to. Many recent intrusions involved one tool or solution and impacted multiple organizations simultaneously.

If you do not have a third-party risk plan, you are operating in good faith but at higher risk that vendors are applying cyber best practices. Future negotiations with partners should include due diligence on security practices, and new contractual agreements should outline security expectations. Priority: Very High

Question 5: Do you have mandatory cyber awareness training in your organization for all employees and contractors and scheduled regularly? A major source of ransomware and malware intrusions is from email and texts. This creates a huge challenge to your “human firewall.” Hackers are very sophisticated using AI and other tools, mimicking content used in daily production and often requesting a time critical action to staff who are heads down on production.

Did you know that 30% of professionals in all industries are “phish prone” to click a link or open an attachment that appears legitimate? In addition, phishing attacks, in which attackers trick email users into divulging sensitive information, remain the most common entry into a system. With regular digital training and testing programs, and simulated scenario tests, organizations can reduce their risk to under 10% after one year of digital training.  Priority: Very High

Question 6: Do you have a documented communication plan if a cyber intrusion occurs? This includes contacting investors, executives, internal staff, customers, third-parties, legal, vendors, media, and insurers. This communication plan is critical to isolating the issue, mitigating risk of bad press, and limiting loss of revenue and customers. This plan also includes the steps to recover from backups and get production back in order. Cyber insurance policies usually require organizations to have a formal information security management program (ISMP) in place to reduce the risk and cost of an attack. Priority: Very High

These six questions should all be considered high or very high priority since they represent standards for protecting your organization. Small organizations are not immune to cyberthreats. In fact, hackers often target small to medium sized businesses because they often have less sophisticated cybersecurity measures in place. Recognizing that every organization, regardless of size, can be a target is an essential step in prioritizing cybersecurity.

Finally let us close on the point that cyber insurance does not replace the need for robust cybersecurity measures. Cyber insurance is a financial safety net; it does not prevent cyberattacks or guarantee complete recovery. Investing in proactive cybersecurity measures is crucial for preventing incidents in the first place and minimizing potential damage. Also, the cost of cyber insurance goes up when the practices outlined in this article are not in place and in some cases might exclude ransomware payments.

So, what should you do immediately? I recommend one immediate step for all firms, which is a 4-week vulnerability assessment. The cost of a security breach is potentially a catastrophic financial issue that some firms will not recover from. You gain peace of mind associated with predictable costs and significantly reduced risk.