New Guidelines for TPAs: Here’s What You Need To Do

Are you a TPA? If yes, this blog is for you! In April of 2021, The Employment Benefits Security Administration within the United States Department of Labor released its first formal best practices cybersecurity guidance. These cybersecurity guidelines are still relevant to your business today. Let’s talk about why you should care and why it matters for your business.

Wait, am I a TPA? 

TPA stands for Third Party Administrator and refers to a company that provides operational services such as claims processing and employee benefits management under contract to another company. Insurance companies and self-insured companies often outsource their claims process to third parties (TPAs). 

What do the guidelines say?

The Employee Benefits Security Administration (EBSA), a Department of Labor (DoL) agency, prepared the guidelines to create a comprehensive list of best practices for TPAs. These guidelines are for recordkeepers, plan-related IT systems, data, and plan fiduciaries. The DoL’s view is that cybersecurity is a core plan fiduciary responsibility and that all TPAs have a duty to minimize cybersecurity risk as best they can.

Here is an overview of what the guidelines include (you can view the full PDF here): 

  1. Have a formal, well-documented cybersecurity program. 
  2. Conduct prudent annual risk assessments. 
  3. Have a reliable annual third-party audit of security controls. 
  4. Clearly define and assign information security roles and responsibilities. 
  5. Have strong access control procedures. 
  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments. 
  7. Conduct periodic cybersecurity awareness training. 
  8. Implement and manage a secure system development life cycle (SDLC) program. 
  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response. 
  10. Encrypt sensitive data – both stored and in transit. 
  11. Implement strong technical controls in accordance with best security practices. 
  12. Appropriately respond to any cybersecurity incidents.

What TPAs should be doing: 

  1. First and foremost, check in with your managed service provider or in-house IT team ASAP to determine if they’re aware of the DOL’s Cybersecurity Program Best Practices document. If you don’t have a qualified resource…get one! You will need skilled IT professionals to assist you in compliance with these guidelines.
  2. Assess your situation using the twelve best practices in the PDF. Which of these guidelines are you already complying with? Which do you need to address? What will be your priorities? 
  3. Make a clear plan with your managed service provider or IT team, including a budget for initiating necessary changes to comply.

If you are a TPA in need of help with IT security and compliance, we can help. PK Tech has worked in the financial space for over ten years. Get in touch with our team here