Risk Assessments

 View Only
  • 1.  Benefit Providers Classification

    This message was posted by a user wishing to remain anonymous
    Posted 5 days ago
    This message was posted by a user wishing to remain anonymous

    Hello All,

    I am curious as to how you classify your Benefit Providers (Anthem, Delta Dental, Kaiser) considering the fact that they have access to NPPI such as NAME, SSN, DOB, ADDRESS, to mention a few? These providers not only have access to employees data but their families and dependents. I am currently working on onboarding a provider and they classifies as Critical vendor due to the type of employees data they would have access to. The Business Owner argues the provider should be classify as Moderate and not Critical.

    What are your thoughts?

    Thank you!



  • 2.  RE: Benefit Providers Classification

    Posted 5 days ago

    Ncontracts just rated ours as Tier 2 (GLBA) Vendors .

     






  • 3.  RE: Benefit Providers Classification

    This message was posted by a user wishing to remain anonymous
    Posted 5 days ago
    This message was posted by a user wishing to remain anonymous

    Seems fair to point out that N Contracts owns Venminder, as part of a deal when Hg bought Ncontracts in September 2024.

    As to my employer, it also rates HR benefits providers as "Moderate" for information security risk. 

    One way to think about it: As a human, I rate my own PII as "Critical" to my existence in my country of residence (USA). Theoretically, all of us do. I treat it accordingly.

    As a representative of my employer, that information isn't "Critical" to my company's daily operations. It is unbelievably important to my employer's ability to retain and attract employees, but applying moderate risk assessment doesn't (and shouldn't change) how a company PROTECTS its employees' PII. Therefore, my employer treats it accordingly - and in most people's cases, that's also true. Reality is that most employers likely are more careful with employee PII than the rank and file employees are with their individual data.

    I hope that analysis helps.




  • 4.  RE: Benefit Providers Classification

    Posted 5 days ago
    Really a no-brainer. NPPI, especially for dependents, ranks Critical.



    Sent via the Samsung Galaxy S8+, an AT&T 5G Evolution capable smartphone





  • 5.  RE: Benefit Providers Classification

    Posted 2 days ago

    Something that has helped me with classifying and discussing vendor ratings is to separate out criticality from risk rating. Each vendor should be assessed if they are critical to the business or not, and separately what level of risk comes with that vendor/product/service. 

    A vendor is critical to the business function (e.g. only vendor available, or critical to day-to-day functions to where if they are down for a day my own organization cannot function properly [core banking software]) or not critical (e.g. easy to replace with another vendor, or if they are down for a little bit of time we can keep going [janitorial staff]). 

    The vendor also has a level of risk that is outside of if they are critical or not. E.g. I can have a vendor who is non-critical, like the janitorial staff, but they could be considered medium to high risk since they are contracted to work unattended in our back offices and branches to clean. They are not critical as we can get another janitorial service and our employees could clean for a few days if there were to be a break in service, but they are high risk due to the unattended access. 

    For the benefits providers, I think it might be good to do this thought exercise to walk the Business Owner through your reasoning for the higher level of risk. It may be that since you are using the term "critical" similar to how we would assess risk; it may muddy the waters for their decision. The risk might be high, since they have the NPPI, but possibly they aren't critical to the function of your business (e.g. you could get another benefits company, and your business could still function if there were outages). The Business Owner may be thinking moderate would be appropriate since business criticality is being taken into account in their decisions, not just the risk. 

    Hopefully that makes some sense, it isn't the most intuitive thing to separate these out. 




  • 6.  RE: Benefit Providers Classification

    Posted 2 days ago

    Our TPRM program excludes medical providers due to their extensive regulation (e.g., HIPAA, FCS, FKA etc.). Instead, our legal team handles contracts and agreements, while HR manages the overall relationship. Information Security performs infosec and access reviews as necessary. We focus on brokerage firms involved with medical benefits providers and administrative services (e.g., 401k administration). These vendors are generally classified as Tier 3 or moderate risk, meeting our basic requirements for vendors with access to NPI data, necessitating due diligence and ongoing monitoring.  We are a small TPRM team with one risk manager and this risk based approached has worked for us.