Financial Company Requires Extraordinary In-Depth Review of Health & Welfare Administration Providers’ Security Protocols.
A financial services organization, due to the nature of their business, implemented exceedingly strict data security requirements for all internal data management and processes. The decision was made to apply the same internal data security protocols to a third-party partners including their benefit administration providers. The company has over 10,000 employees and retirees.
During the issuance of new data security protocols, the contract with their health and welfare (H&W) administration provider was expiring. The client chose to conduct an H&W search project. Their current administration provider quickly responded to their inability to meet the new security guidelines. The organization concluded the need to assess marketplace administration providers regarding their ability to meet the new security requirements.
The organization engaged Curcio Webb to develop an in-depth Request for Information and a related process to assess marketplace administration providers’ ability to meet the new security guidelines. Out goal was to assess each provider’s ability to meet the defined guidelines and determine their adherence to those programs. We informed our client that each considered provider uses multiple system platforms and processes to support their desired scope of services. The assessment required focus on the main system platform, in addition to all systems that store employee data – including those managed by subcontractors. Other platforms for consideration included case management, phone call recordings, document fulfillment, and billing.
Working with the clients’ IT and Procurement, Curcio Webb developed an assessment tool and distributed it to considered providers. The first step was to determine if the provider was willing to supply detailed information about each of their platforms and processes including those of subcontractors. This was the first time that the providers were asked to:
- Provide the level of detail about their security protocols and agree to allow the plan sponsor to physically test the strength of their security.
- Require the provider’s subcontractors to participate in the same level of scrutiny.
A major provider declined to participate based on their unwillingness to share the information pertaining to their subcontractors. Others participated with varying results – some were reluctant to share information about all the platforms addressed by the request because it was difficult to obtain the data from third parties. For example, some providers did not initially identify platforms supporting services like fulfillment, case management, or call recordings as being part of the request. Several rounds of requesting information and review were required to obtain the necessary information.
The project resulted in three providers being down-selected for the outsourcing arrangement. The organization successfully contracted with an administration provider who met all the stringent security and administration requirements. The selected organization was also able to display leading edge and engaging tools and technology and a competitive financial arrangement.
One unique aspect of this project is that the client’s IT Security team controlled who received the administrative services RFP. The process also identified areas where security standards vary significantly throughout the provider marketplace.
At a Glance Benefits
All security and administration requirements will be met by your provider.
Your provider will display leading edge technology, engaging tools, and a competitive financial arrangement.