There is little doubt that cybersecurity is becoming an increasingly important topic, not just for the workers' compensation industry but for organizations of all sizes and stripes. High-profile incidents where critical data has been either exposed or encrypted for ransom have rightfully brought a finer focus to the topic for many. The workers' compensation industry is certainly not exempt from the threat, nor should it not be mindful of the consequences should it fail to take proper protections.
Many companies in the industry are responding to the threat. They have tightened their security protocols and are now doing in-depth reviews of the companies they affiliate with; vendors that may have access to their network, and therefore represent a potential vulnerability in the security of their data. After all, the Target credit card terminal attack, which was conducted through an automobile service center that was connected to their billing system, showed that the weakest link in a chain is a point of concern when it comes to network security.
Therefore, many insurance companies in the industry are turning to “Third Party Assessment” firms to review and record the security policies and procedures of the vendors they do business with. As one of those vendors, we are no stranger to these reporting processes. As we slog through the 40 to 50 questions in these various reporting systems, uploading requested documents and providing whatever support they request, I cannot help but wonder, what third party assessor assesses the third-party assessors?
Do they have to hire another third-party assessor to assess the third-party assessor that will do third-party assessing? And how do they know that this newest third-party assessor will assess the assessor with a proper assessment? Does that mean a fourth assessor will be needed to assess the assessor doing the assessment on the assessor for the final assessments? Then you might need a fifth assessor to assess the fourth assessor who assessed the third assessor who assessed the original assessor hired to assess the third-party assessor who would do all the final third-party assessing. Clearly, this could potentially grow to infinity and beyond, and I think we can all agree we don't have enough security badges for everyone.
To quote a famous line from the movie Jaws, “We're going to need a bigger boat.”
We at the Cluttered Desk (ok, I) have advocated for proper cybersecurity protections and applaud the industry for taking the issue seriously. However, as a relatively small company whose products are provided with no access to the networks or personally identifiable data of any TPA or insurance company, we find some incongruity to the process. You see, these third-party assessment companies are essentially hammers, and everything they see is a nail. Everyone, large, small, and in-between gets hit with the same assessment.
Yes, we have an established security and asset protection plan.
No, we don't have a $500,000 Supercalifragilisticexpialidocious security certification.
Yes, we have an established access control system that restricts server access to designated staff.
No, we do not employ Storm Troopers armed with Photon Phase Disruptors who are ordered to shoot unauthorized people on site (although that is not a bad idea).
I am thinking that, in the future, for any security question where we have to answer “No,” because it is completely irrelevant to the services actually being provided, we will start answering “Yes, but the information is encrypted, and you can't see it. Our security and asset protection plan prevents its disclosure. In fact, we haven't been able to see it since it was encrypted, and no longer have any idea what it says. That is about as secure as you can get.”
It is either that, or the classic Pee-Wee Herman response, “I know you are, but what am I?”
That should give the third-party assessment company a run for their money. But I would also advise caution in these cases. You see, when you are a hammer and everything is a nail, there is only one approach to use when that nail will not cooperate. You simply hit it harder until it either submits or bends to your will.
This is why we sometimes wonder what third-party assessor assesses the third-party assessor, to begin with.
Be the first person to comment!
You must Login or Register in order to read and make comments!
Don't Have an Account? Click Here to Register.
Robert Wilson is President & CEO of WorkersCompensation.com, and "From Bob's Cluttered Desk" comes his (often incoherent) thoughts, ramblings, observations and rants - often on workers' comp or employment issues, but occasionally not.
Bob has a couple unique personality characteristics. He firmly believes that everyone has the right to his (Bob's) opinion, and while he may not always be right, he is never in doubt. Enter at your own risk, and like all of our blog areas, we encourage you to read the disclaimer at the bottom of the page.
We're not responsible for this guy.....
Bob is an accomplished speaker for the workers' compensation industry. He is available for conferences, corporate events, children's birthday parties and Bar Mitzvahs. You may access his Speakers Brief here.
Join Bob and almost 20,000 employers and professionals on his LinkedIn group - the Workers Compensation Roundtable. Join here today!
Follow Bob on Twitter at his personal account @WorkCompKing
