Vendor Vulnerabilities

Risky Business

Being vigilant on cyber security requires companies to have confidence in the IT protections of their vendors and partners.
By: | December 18, 2014 • 3 min read

Like everyone else, I shop at Target, Home Depot and TJ Maxx and as a consequence of their security breaches and for my future protection, I have had to exchange my credit card several times.


Although I am very careful about sharing personal data and keep a shredder very busy, clearly the companies with whom I do business have vulnerabilities that they and I were unaware of.

Such vulnerabilities impact our industry as well.

In July, the Consero group conducted a survey of Fortune 1000 companies that indicated that 65 percent of their executives do not believe their vendors are sufficiently focused on minimizing risk.

We are in an industry where vendors abound and we rely heavily on them to provide services to our clients, our employees, our medical and ancillary providers, and to each other.

What are the risks if our vendors do not meet the highest standards and have vulnerabilities that affect the various stakeholders in our business?

Data security – We must be certain that all the data we collect and share (much of which is highly personal and confidential) is secure. How can we be sure that all of our vendors have the “right” level of controls to keep all of your and your client’s data secure?

Financial impact – Financial transactions are at the core of our businesses. In today’s highly technology-based business practices, many of these transactions are performed electronically. How do you know if your and your vendor’s systems are protected against unauthorized access?

Compliance/regulatory impact – Is your vendor’s system processing complete, accurate, timely, regulatory compliant and authorized?

Controls – Exactly what controls do your vendors have in place to prevent the security breaches that have become all too frequent?

Compliance Standards

Remember the SAS 70? Since 1992, SAS 70 has provided the auditing standard guidance for internal controls, including IT-related controls, of service organizations.

However, two key authorities, the American Institute of Certified Public Accountants (AICPA) and the International Auditing and Assurance Standards Board (IAASB) identified the limits of the SAS 70 and acknowledged the need for greater controls.

Certainly, our recent experience of all types of security breaches would indicate that we do need to do more. Thus in 2011, new standards specifically for service organizations were developed with the SSAE 16 Trust Services Principles and Criteria.

Sparrow, Johnson and Ursillo, a full service accounting and technology firm serving a wide variety of clients all over the country including members of the banking community, describes the SSAE 16 standards this way:

“These attestation standards address engagements undertaken by a service auditor for reporting on controls at service organizations that provide services to user entities (customers). User entities in reality take on many of the risks of their outsource partners. These attestation standards provide the framework for CPAs to report on the internal controls over financial reporting as well as compliance and operations of the service organizations in order to determine and demonstrate the effectiveness of internal controls.”

With these new standards, entities can describe and document more precisely how services are being delivered and how controls are utilized within finance, operations and compliance. This new certification can be utilized to identify risks, evaluate the effectiveness of internal controls and provide assurances that we all need as it relates to our vendor partners.

Focus on Vendors

I would suggest that you make this a high priority in your organization.  We are, after all, in the business of risk management and we need to ensure that our vendors/partners are as focused as we are on minimizing risks.


Ask yourself these questions:

• How do you know that your vendors are doing what it takes to protect your systems and data?

• Have you talked to your vendor partners about their internal controls as they relate to their business with you?

• Is your vendor management department knowledgeable about the Trust Service Principles?

• Are you — or should you be — requiring your vendors to be SSAE 16 compliant?

All of us need to be more vigilant and better protected against security breaches. Are you and your company as protected as you need to be?

Maddy Bowling is a principal in Maddy Bowling Consulting, Inc., a WC consulting firm. Bowling has 35 years of broad-based executive management experience within operating, corporate and consulting environments. She can be reached at
Share this article:

Risk Insider: David Lewison

5 Tools to Help Risk Managers Before a Cyber Loss

By: | December 18, 2014 • 2 min read
David Lewison is co-leader of the AmWINS Financial Services National Practice, which includes cyber liability and other types of management and professional liability. He can be reached at

Risk management professionals in health care have to be both paranoid and hyper-diligent because organizations in that sector face threats from multiple fronts that can put them out of business.

Every patient is potentially a plaintiff.  Regulators are reviewing a lengthy list of concerns, including employee safety, employment practices, patient safety, patient privacy, facility safety, Medicare billing, environmental impact and tax status.

There have been a myriad of articles outlining the benefits of cyber liability Insurance after a data breach.  While most people know that cyber liability insurance pays for claims following a loss, many overlook the benefits for risk managers prior to a breach and even in absence of a data breach.

Here are five pre-breach benefits provided by leading insurers and their partner vendors that may reduce the potential for a breach as well as possibly reduce the damages.

1. Compliance training.

Some insurers provide customized web-portal delivered training to employees regarding the handling of personally identifiable information (PII) and personal health information (PHI).

One way risk managers can improve their organization’s cyber liability risk profile is to train their employees how to properly handle private information.  Privacy attorneys will tell you that their discussions with regulators are far more pleasant when they can quickly demonstrate that an honest mistake was made by well-trained employees rather than negligence or indifference.

2. Test your network.

Insurers have partnered with well-known security firms to help assess the strength of an organization’s network security.  This shouldn’t be viewed as a threat to the competence of an IT department, but rather an additional assessment that doesn’t deplete an IT budget.

3. Manage risk.

Most insurers offer risk management content from highly specialized vendors on a web portal specifically for the use of the insurance buyer.  These portals typically contain sample privacy policies for websites and employee handbooks, data breach examples, loss calculation tools, risk management tips, news articles and claim contact information.

4. Call an expert.

Some insurers will provide access to both legal and IT professionals to ask questions about incidents that may or may not constitute a breach.  The lawyers help understand the various state and federal regulations and what needs to be reported.

5. Develop a breach response plan.

Included with the cyber liability insurance policy, risk managers will often find a roadmap of what to expect in the event of a breach.  On that list they may find a “breach coach” that coordinates forensic security vendors, law firms, public relations professionals, insurance company claims contacts and more.

Sometimes you get what you pay, but in the case of cyber liability insurance policies, risk managers get an insurance product in addition to a host of services that help lower their risk profile.

When you’re ready to purchase cyber liability insurance, make sure you review the additional service offerings to be sure it includes these additional benefits.

Share this article:

Sponsored: Healthcare Solutions

The Promise of Technology

A roundtable in Philadelphia explores the power of technology in WC and its potential to take us where we have never been before.
By: | December 10, 2014 • 7 min read

The field of workers’ compensation claims management seems ideally suited as a proving place for the power of technology.

Predictive analytics in the hands of pharmacy and medical management experts can give claims managers the data they need to intervene in troublesome claims. Wearables and other mobile technologies have the potential to give healthcare providers “real-time” reports on the medical condition of injured workers.

Never before have the goals of quick turnaround and transparency in managing claims appeared so tantalizingly achievable.

In the effort to learn more about technology’s potential, in September, Risk & Insurance® partnered with Duluth, Ga.-based Healthcare Solutions to convene an information technology executive roundtable in Philadelphia.

The goal of the roundtable was to explore technology’s promise and to gauge how advancements are serving the industry’s ultimate purpose, getting injured workers safely back to work.


Big Data, Transparency and the Economies of Scale

Integration is a word often heard in connection with workers’ compensation claims management. On one hand, it refers to industry consolidation, as investors and larger service providers seek to combine a host of services through mergers and acquisitions.

In another way, integration applies to workers’ compensation data management. As companies merge, technology is allowing previously siloed stores of data to be combined. Access to these new supersets of data, which technology professionals like to call “Big Data,” present a host of opportunities for payers and service providers.

Through accessible exchange systems that give both providers and payers better access to the internal processes of vendors, a service provider can show the payer the status of the claim across a much broader spectrum of services.

SponsoredContent_HCS“One of the things I see with all of this data starting to exchange is the ability to use analytics to predict outcomes, and to implement workflows to intervene.”
–Matthew Landon, Vice President of Analytics, Bunch CareSolutions.

“Any time that we can integrate with a payer across multiple products such as pharmacy, specialty and PPO services, what it does is gives us a better picture of the claim and that helps us to drive better outcomes,” said roundtable participant Chuck Cavaness, chief information officer for Healthcare Solutions.

Integration across multiple product lines also produces economies of scale for the payer, he said.

Big Data, according to the roundtable participants, also provides claims managers an unparalleled perspective on the cases they manage.

“One of the things that excites us as more data is exchanged is the ability to use analytics to predict outcomes, and to implement workflows to intervene,” said roundtable participant Matthew Landon, vice president of analytics with Lakeland, Fla.-based Bunch CareSolutions, A Xerox Company.

Philadelphia roundtable participant Mike Cwynar, vice president of Irvine, Calif.-based Mitchell International, agrees with Landon.

Jerry Poole, President and Chief Executive Officer, Acrometis

Jerry Poole, President and Chief Executive Officer, Acrometis

“We are utilizing technology to consolidate all of the data, to automate as many tasks as we can, and to provide exception-based processing to flag unusual activity where claims professionals can add value,” Cwynar said.

Technology is also enabling the claims management industry to have more productive interactions with medical providers, long considered one of the Holy Grails of better case management.

Philadelphia roundtable participant Jerry Poole, president and CEO of Malvern, Pa-based claims management company Acrometis, said more uniform and accessible information exchange systems are giving medical providers access to see how bills are moving through the claims manager’s process.

“The technology is enabling providers to call in or to visit a portal to figure out what’s happening in the process,” Poole said.

More efficient data storage and communication is also resulting in quicker turnaround times, which is shortening the duration of claims and driving down the overall cost of risk, according to Cwynar.


Going Mobile

Another area where technology is moving the industry forward, according to the Philadelphia technology roundtable participants, is mobile technology, which is being used to support adjustors and case managers and is also contributing to quicker return to work and lower costs for payers.

The ability to take a digital tablet to a meeting with an injured worker or a health care provider is allowing case managers to enter data and give feedback on a patient’s condition in real time.

“Our field-based case managers have mobile connectivity to our claims systems that they use while they’re out of the office attending doctor’s appointments, and can enter the data right there into the system, so they’re not having to wait until they are back at the office to enter critical clinical documentation,” said Landon.

Injured workers that use social media, e-mail and the texting function on their mobile phones are staying in better touch with those that are charged with insuring that they are in compliance with their treatment plans.

Wearable devices that provide in-the-moment information about an injured workers’ condition have the potential to recreate what is known in aviation as the “black box,” a device that will record and store the precise physical state of an employee when they were injured. Such a device could also monitor their recovery process.

But as with many technologies, worker and patient privacy also needs to be observed.

“At the end of the day, we need to make sure that we approach technology enhancement that demonstrates value to the client, while ensuring patient advocacy,” Landon said.


As payers and claims managers set out to harness the power of computing in assessing an injured worker’s condition and response to treatment, the cycle of investment in companies that serve the workers’ compensation space is currently playing a significant role.

The trend of private equity investing in companies that can establish one-stop shopping for such services as medical case management, bill review, pharmacy benefit management and fraud forensics has huge potential.

SponsoredContent_HCS“Any time that we can integrate with a payer across multiple products such as pharmacy, specialty and PPO services, what it does is gives us a better picture of the claim and that helps us to drive better outcomes.”
— Chuck Cavaness, Chief Information Officer, Healthcare Solutions.

The challenge now facing the industry, one the information technology roundtable participants are confident it can meet, is integrating those systems. But doing so won’t happen overnight.

“There’s a lot of specialization in the industry today,” said Jerry Poole of Acrometis.

Years ago there was a PT network. Now there’s a surgical implant guy, there’s specialized negotiations, there’s special investigations, said Poole.

The various data needs to be integrated into an overall data set to be used by the carriers to help lower the cost of risk.

“Consolidating all these providers will take standardization of communication pathways and it will likely be led by the vendors,” Poole said.


Securing Sensitive Information

Long before hackers turned the cyber defenses of major national retailers inside out, claims management professionals have focused increased attention on the protection of data shared across multiple partners.

Information security safeguards are changing and apply to what technology pros refer to “data at rest,” data that is stored on a particular company’s servers, and “data in flight,” data that is transferred from one user to another.

Michael Cwynar

Michael Cwynar, Vice President, Mitchell International

Mitchell’s Cwynar said carriers want certification that every company their data is being sent to needs to have that information and that both data at rest and data in flight is encrypted.

The roundtable participants agreed that the industry is in a conundrum. Carriers want more help in predictive analytics but are less willing to share the data needed to make those predictions.

And as crucial as avoiding cyber exposures and the corresponding reputational damage is for large, multinational corporations, it is even more acute for smaller companies in the workers’ compensation industry.

Healthcare Solutions’ Cavaness said the millions in loss notification and credit monitoring costs that impact a Target or a Home Depot in the case of a large data theft would devastate many a workers’ compensation service vendor.

“They’d be done in a minute,” Cavaness said.

The barriers to entry in this space are higher now than ever before, continued Cavaness, and companies wishing to do business with large carriers have the burden of proving that its security standards are uncompromising.

In Reality

Workers’ compensation risk management in the United States is by its very nature, complex and demanding. But keep in mind that those charged with managing that risk get better results year after year.

Technology has a proven capability to iron out the system’s inherent complications and take its more mundane tasks off of the shoulders of case adjustors.

The roundtable members agreed that the business goals of a lower cost of risk and an even more productive workforce will follow.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Healthcare Solutions. The editorial staff of Risk & Insurance had no role in its preparation.

Healthcare Solutions serves as a health services company delivering integrated solutions to the property and casualty markets, specializing in workers’ compensation and auto liability/PIP.
Share this article: