There is little doubt that cybersecurity is becoming an increasingly important topic, not just for the workers’ compensation industry but for organizations of all sizes and stripes. High-profile incidents where critical data has been either exposed or encrypted for ransom have rightfully brought a finer focus to the topic for many. The workers’ compensation industry is certainly not exempt from the threat, nor should it not be mindful of the consequences should it fail to take proper protections.
Many companies in the industry are responding to the threat. They have tightened their security protocols and are now doing in-depth reviews of the companies they affiliate with; vendors that may have access to their network, and therefore represent a potential vulnerability in the security of their data. After all, the Target credit card terminal attack, which was conducted through an automobile service center that was connected to their billing system, showed that the weakest link in a chain is a point of concern when it comes to network security.
Therefore, many insurance companies in the industry are turning to “Third Party Assessment” firms to review and record the security policies and procedures of the vendors they do business with. As one of those vendors, we are no stranger to these reporting processes. As we slog through the 40 to 50 questions in these various reporting systems, uploading requested documents and providing whatever support they request, I cannot help but wonder, what third party assessor assesses the third-party assessors?
Do they have to hire another third-party assessor to assess the third-party assessor that will do third-party assessing? And how do they know that this newest third-party assessor will assess the assessor with a proper assessment? Does that mean a fourth assessor will be needed to assess the assessor doing the assessment on the assessor for the final assessments? Then you might need a fifth assessor to assess the fourth assessor who assessed the third assessor who assessed the original assessor hired to assess the third-party assessor who would do all the final third-party assessing. Clearly, this could potentially grow to infinity and beyond, and I think we can all agree we don’t have enough security badges for everyone.
To quote a famous line from the movie Jaws, “We’re going to need a bigger boat.”
We at the Cluttered Desk (ok, I) have advocated for proper cybersecurity protections and applaud the industry for taking the issue seriously. However, as a relatively small company whose products are provided with no access to the networks or personally identifiable data of any TPA or insurance company, we find some incongruity to the process. You see, these third-party assessment companies are essentially hammers, and everything they see is a nail. Everyone, large, small, and in-between gets hit with the same assessment.
Yes, we have an established security and asset protection plan.
No, we don’t have a $500,000 Supercalifragilisticexpialidocious security certification.
Yes, we have an established access control system that restricts server access to designated staff.
No, we do not employ Storm Troopers armed with Photon Phase Disruptors who are ordered to shoot unauthorized people on site (although that is not a bad idea).
I am thinking that, in the future, for any security question where we have to answer “No,” because it is completely irrelevant to the services actually being provided, we will start answering “Yes, but the information is encrypted, and you can’t see it. Our security and asset protection plan prevents its disclosure. In fact, we haven’t been able to see it since it was encrypted, and no longer have any idea what it says. That is about as secure as you can get.”
It is either that, or the classic Pee-Wee Herman response, “I know you are, but what am I?”
That should give the third-party assessment company a run for their money. But I would also advise caution in these cases. You see, when you are a hammer and everything is a nail, there is only one approach to use when that nail will not cooperate. You simply hit it harder until it either submits or bends to your will.
This is why we sometimes wonder what third-party assessor assesses the third-party assessor, to begin with.