Comp Carriers, Law Firms, TPAs Will Soon Need Cybersecurity Certification
Thursday, May 21, 2020 | 1522 | 0 | 82 min read
It stands to reason that a major U.S. defense contractor would have to meet the federal government's extensive new standards on cybersecurity and face regular audits from security experts.
But would the contractor's workers' compensation insurance carrier and claims management company also need to beef up their computer safeguards and get certified? And what about the attorneys for the carrier? Paralegals? Compensation agencies and courts?
The answer to those questions is, “probably,” according to computer security firms and organizers of a Workers' Compensation Institute conference on the subject that's scheduled for August. Without the certification, comp companies and firms likely won't be able to do business with companies that contract with the Department of Defense.
“This is a big deal for the workers' comp industry. But it's so new, a lot of people don't know how important it is and what they need to do comply with the new rules,” said James McConnaughhay, a Florida insurance attorney and chairman of the Workers' Compensation Institute, or WCI.
The new program is not without its critics, but WCI and defense contractors appear to be taking it seriously. The matter is considered urgent because the Department of Defense's first request for proposals requiring the new standards are set to be released in October.
And it's important enough that although WCI this year canceled its massive annual conference in Orlando, Florida, because of the coronavirus pandemic, it decided to continue with the cybersecurity session. Some big names are slated to speak at the Aug. 19-20 event, including U.S. Sen. Marco Rubio, R-Florida.
McConnaughhay said Wednesday that Rubio may not be able to attend because of new responsibilities: He was named this week as acting chair of the Senate Intelligence Committee after Sen. Richard Burr stepped down amid allegations of insider trading. But U.S. Rep. John Rutherford, R-Jacksonville, who helped co-author some of the new standards, may be available, McConnaughhay said.
The other keynote speaker is Katherine Arrington, who has spoken to defense contractors around the country about the issue. She is the chief information security officer for the assistant U.S. secretary of state for acquisition. At a recent conference, she said the increased threat of cyberattacks has forced the government to make computer and network security fundamental when considering bids on DOD contracts, on a par with quality, cost and ability to stay on schedule.
And the scrutiny now extends to subcontractors and vendors, regardless of size or function, that may need to hire extra staff or consultants to rework their security protocols, according to Summit7 Systems, a cloud-computing and cybersecurity firm that posted Arrington's talk.
McConnaughhay said WCI organizers decided last year to hold the cybersecurity forum because the new standards were announced about the same time that CorVel Corp., a nationwide workers' comp claims management company, was hit with a ransomware attack.
“The CorVel mess and what they went through is really what put us on to this,” he said.
The comp world saw then that it needs to learn how to protect itself, not only to continue working with defense contractors and subcontractors, but also to be able to fend off data breaches that can shut down corporations for weeks, McConnaughhay said.
CorVel has not said much publicly about the July 2019 attack, which some reports have linked to North Korean hackers who demanded millions of dollars to unlock the company's data. The company's recent financial reports suggest that revenues were not noticeably harmed by the attack, but leaders are concerned about future breaches.
“We have invested in and continue to expend significant resources on information technology and data security tools, measures, processes, initiatives, policies and employee training designed to protect our information technology systems, as well as the personal, confidential or sensitive information stored on or transmitted through those systems, and to ensure an effective response to any cyberattack or data security incident,” reads Corvel's financial filing for the fourth quarter of 2019, the most recent report available.
“There can be no assurance that the security measures we employ will effectively prevent cybersecurity breaches or otherwise prevent unauthorized persons from obtaining access to our systems and information,” the report noted.
As millions more employees work from home because of the pandemic, companies are likely to see more data breaches, according to news reports and cybersecurity analysts.
McConnaughhay said the need for better cyber-awareness extends to even the most pedestrian of businesses. A soft drink vendor for a military base, for example, may need a heightened level of security certificate because it has to have a map of the base to know where the machines are.
But would that beverage company's comp carrier and third-party administrator also need to meet the standard? It depends on what type of information the stakeholders normally handle.
The new Defense Department program is known as the Cybersecurity Maturity Model Certification, or CMMC. It has five levels of security. Companies that contract directly with the department may be required to meet level five standards, which could mean adherence to as many as 171 best practices and rules, according to DOD guidelines.
Third-party vendors may need to reach only level two or three — “intermediate cyber hygiene” or “good cyber hygiene,” as the guidelines call it. But that could still mean following as many as 130 practices, including new email systems and protocols, passwords, firewalls, anti-attack software, real-time backup of files, installation of software manufacturers' security patches, and a response plan for attacks, security firms have said.
The big difference between the new federal standards and the old ones is that the previous certification was largely self-policing. Contractors and subcontractors simply vouched that their cybersecurity was up to the challenge and were occasionally audited later.
The CMMC approach requires that companies be evaluated and certified before they can even bid on a project. And then they must be regularly audited by experts to assess the security measures. The program will be managed not by the DOD, but by a non-profit organization whose board of directors was recently appointed.
And that's where critics have said the program falls short.
In a guest column in Forbes last month, a former undersecretary of defense called CMMC “deeply flawed.” Frank Kendall, now a consultant, said that because companies must pay auditors to certify their security protocols, that creates an inherent conflict of interest — with little government oversight.
The DOD also has acknowledged that it may require some 10,000 licensed security assessors to do the audits, and that the program may not be fully functioning until 2026.
“Let's kill this bureaucratic monster before it gets any bigger than it already has,” Kendall wrote.
That seems unlikely. McConnaughhay said the WCI is moving ahead with the cyber-conference, which will feature two days of informational sessions as well as simulated cyberattacks, so stakeholders can see firsthand how to prevent and respond to attacks.
The conference will be at the sprawling Marriott World Center, where large conference rooms allow for social distancing, he noted.