Making “Census” of Data Security

Katie Boyer, Director of Client Engagement

During Annual Administration, firms are faced with their most obvious threat to their cyber security; the census data. As TPAs, you know that the data that you possess contains all the necessary information desired by hackers to destroy a person’s financial well-being. The process of collecting and transmitting census data should be the first action item on any new cybersecurity initiative.

We’ve all been there - the client has been unresponsive because they are too busy with other things and the deadline for filing is just days away. They ask, “Can I just send you an email with the info?” You know that this is not ideal, but you say yes because it has worked in the past and the task needs to be completed. What you didn’t know was that their email account had been compromised and, now, your client’s employees’ personal financial information is in the hands of sophisticated thieves.

This has potentially catastrophic implications for your client and your firm - one email, one time; that’s all it takes. The good news is that there is a plethora of technology that is on the market to eliminate this scenario.

Secure Portal: PensionPro recommends that TPAs transfer documents online and through a secure portal. Our secure portal, PlanSponsorLink, is used by nearly 400 TPAs across the country, and more than 100,000 plan sponsors nationwide. There are many other portals available to TPAs but be sure that when selecting a portal that it employs end-to-end encryption, that the vendor is SOC II compliant and performs annual (or more frequent) penetration tests and vulnerability scans. It’s also worth noting that portals connected to other software, like compliance products, can circumvent your process by accepting data prior to necessary scrubbing. While collecting the data through the portal is critical, human expertise and review is important to ensure accurate compliance testing.

Encrypted Email: For maximum security, avoid using encrypted email systems. Communications between your email application and server are likely encrypted. However, communications between your server and the recipient’s may not be. Once the email reaches its destination, it is out of the sender’s control. Another common practice that is fraught with security issues is attaching a password protected file. The problem? The password is also sent via email.

File Sharing Services: File Sharing services like ShareFile can certainly get the job done and are usually inexpensive, but they require entirely separate systems management of data. Elements, in addition to security, that should be at the forefront in your decision making process are efficiency and integration; the fewer places your team must log into, the better. While file sharing services can provide a high level of security, you may be wasting man-hours and system tracking capabilities because the technology is not linked to an integrated CRM. Another factor to consider is the number of users; many systems are paid for by per seat licenses. Artificially limiting the number of user licenses and allowing for logins to be used as team access accounts in order to save money completely eliminates audit trails due to multiple people having access to the same credentials; not a great security practice.

Snail Mail: While back in the day, a postage stamp was the only guaranteed way to deliver paperwork to clients, times have changed. And unfortunately, so has the “guarantee” and timeliness expectations we’ve adapted to. When sending anything through the mail, there is always risk that the address information has not been updated. This opens up the risk of mail getting into the wrong hands and potentially never arriving to the intended receiver. Mailing also has no true confirmation of status until it’s received back in your hands. While having the client sign for the file can be helpful, it still doesn’t guarantee any sort of window for receipt of the necessary information. While some folks may find the mailing option to be easier, the expense of printing, postage and waiting time will far outweigh any convenience.

Fax Services: Faxing is no longer just a paper scanning process, nor does it require a human to man the machine. With new options for VoIP Fax (voice over internet protocol), faxing has become an entirely paperless transmission. However, this comes with its own security risks as well. Internet fax is still transmitted over the web and in many cases, results in an attachment via email delivery. This presents the same security risks found in traditional email. If something is secure in nature, faxing is not necessarily the best option for delivery.

Wherever you land on assessing your own data collection processes, remember that adoption of improved procedures relies on two key components; ease of use and culture. Make sure that this is true for both your clients and employees. There comes a point that a line has to be drawn. This is what is expected, and this is the only method we will accept due to security requirements. It may come as a surprise to some, but clients are just as aware of what a cyber-attack could do to their business. Draw the line and stick to it, your business liability relies on it.

 
By:
Darren Conner
Need Contact info or Description for Darren