Balancing the rewards and data security risks of TPAs



Balancing the rewards and data security risks of TPAs | Insurance Business America















“We’re a target for hackers and breaches”


Technology

By
Nicole Panteloucos

In the insurance industry, specialization often yields better results than generalization. However, with expanding global markets and increasing demands for comprehensive insurance solutions, maintaining expertise in every area can be lucrative for insurers and brokers – but they need support. This is where Third-Party Administrators (TPAs) come into play.

TPAs act as essential behind-the-scenes partners, managing the entire claims process from start to finish. They enhance efficiency and cost-effectiveness, ensure compliance with legal regulations, and bring specialized expertise to complex, resource-intensive tasks.

Emphasizing the value of TPAs, Christopher Schaffer (pictured above), CEO of Charles Taylor claims solutions, Americas, shared: “TPAs are the front-line service representatives for policyholders and claimants.”

“TPAs are typically going to have better technology, better analytics, and are more adept at customizing workflows to meet client needs,” added Schaffer. “We’re not trying to paint a broad brush across diverse groups of insureds.”

Cybersecurity risk and data breaches  

While TPAs offer numerous benefits, their services can also be a double-edged sword.

While internal claims departments allow for close oversight of claims, this approach may limit insurer scalability. On the other hand, relying on TPAs can introduce significant cybersecurity risks.

As the US insurance TPA market is projected to exceed $240 billion by 2030, it’s crucial for insureds and brokers to remain vigilant against digital threats. “Technology and data security are typically TPAs’ largest of area of expense,” echoed Schaffer. “It’s a big part of where we spend and invest our money.”

Last month, WebTPA, a provider of administrative services to health plans and insurance companies, suffered a data breach affecting 2.4 million policyholders. The breach impacted customers of major insurers such as The Hartford, Transamerica, and Gerber Life Insurance.

“It’s hard to say, ‘Hey, we’ve had something happen and it could have been our mistake.’ No-one likes saying that,” said Schaffer. “But you must be prepared so that you do the right thing when these sorts of events occur.”

According to an announcement posted on WebTPA’s website, the threat actor had access to clients’ personal data for five days between April 18 and April 23, 2023, however, WebTPA only discovered the breach much later in December, launching an investigation immediately after.

Incidents like this are increasingly concerning for brokers in the health sector, especially given that health plan insurers heavily rely on TPA services. Currently, approximately 60% of US workers with non-federal health employee benefits are enrolled in plans that utilize third-party administration, a figure that continues to grow.

The risk here is considerable, as TPAs like WebTPA handle highly sensitive and valuable participant data including Social Security numbers, financial account details, and medical records. “We’re a target for hackers and breaches; it’s any TPA’s greatest concern,” Schaffer emphasized.

How can brokers mitigate TPA risks?

To protect themselves from potential losses and avoid being implicated by TPAs, insurance professionals need to maintain strong relationships with third-party administrators. This ensures there is adequate communication across command chains, enabling effective risk management and alignment in safeguarding sensitive information.

Brokers can take several steps to mitigate risks when working with TPAs:

  • Incident response plan: Develop a comprehensive incident response plan that includes coordination with the TPA in case of a data breach.
  • SOC 1 and SOC 2 certifications: Ensure your TPA has SOC 1 and SOC 2 certifications to verify they follow stringent data security and privacy standards.
  • Monitor regulatory compliance: Stay updated on relevant regulations and ensure the TPA is compliant with all applicable laws.
  • Employee education: Ensure both your team and the TPA’s employees are trained on data protection best practices and breach response procedures.
  • Insurance coverage: Verify that the TPA has appropriate cyber insurance coverage to mitigate financial risks in case of a breach.

Underscoring the value of preparedness from the TPA perspective, Schaffer shared: “For us, it’s not only being able to protect against risk, but knowing what we do if those events occur, and having clear standard operating procedures on how we deal with them.”

“If a breach occurs, will you know how many people were potentially affected? How will you plan to notify them? You can’t be figuring this stuff out at the time of an incident,” he added.

Related Stories