Third-Party Risk Management: Protecting Data Privacy


It is no secret that today’s business world is driven by technology and digital data storage. Never before in history has the collection and transfer of information between businesses been done as rapidly or at such high volume. While this allows for businesses to scale their services at a rate never before imagined, it creates a number of potential problems when dealing with sensitive personal information. Data privacy protection is especially tricky when a business chooses to work with a third-party organization to collect or manage its data. In the modern business world it is imperative for companies to not only recognize what data is considered to be “sensitive”, but also to be proactive about ensuring that it is kept private and secure.

Secure Sensitive Data

The data that is the most significant and potentially harmful if compromised is any type of data that can be directly linked to a particular individual. This data, known as Personally Identifiable Information (PII), includes social security numbers, credit card information, medical records, etc. Many businesses store such information on a regular basis, but most do not adequately protect it.

While there are many pitfalls associated with managing digital data privacy, companies can take steps to ensure that their data remains secure both in-house and when working with third-party data management vendors.

  • Understand the risks of working with third-party vendors. Sharing key PII with a third party can lead to a loss, especially when the vendor’s financial controls are not properly certified by a recognized accounting standard such as the SSAE 16 Type II (SOC 2).
  • Be wary of nested third party relationships. You may have vetted a particular service provider thoroughly enough to trust them with your business’s most sensitive PII, but this does not mean you are completely safe. Companies must also ensure that any and all outside entities involved with its vendors are abiding by all data security standards.
  • Be proactive when planning for a third party data compromise. Ensure that your company has a clearly defined procedure for handling security breaches that occur externally to the organization. These procedures should be tested and have comprehensive standardized reporting to limit loss and prevent future incidents.

The Bottom Line

The points above are but a few of many things a business can do to protect itself from a loss related to third party data security compromises. All of these steps and more can be best implemented through an all-inclusive vendor risk management program like Business Credentialing Services (BCS). BCS is a SOC 2 certified organization that is experienced in providing tight data security for its clients, and ensuring that all clients’ vendors meet contractual insurance requirements in the event of a loss. Outsourcing this process allows business to focus on providing their products and services to their clients knowing that all of their sensitive data is being properly managed.


Matney, Angela R., and Brian W. Fannin. “The Challenges of Third-Party Data Privacy Protection.” Risk Management : 33-37. Print.

Insurance Tracking Software


In today’s world, companies are expected to do the required legwork needed to ensure that their vendors, tenants, or borrowers are properly insured. This is to protect themselves from potential lawsuits that may occur as a result of incidents that incur financial loss. That said, actually following through with this task is easier said than done. There are often complex legal requirements that must be met and a variety of specific documentation that is needed in order to ensure contractual insurance compliance for each third-party that a company might be involved with. For larger organizations, such as international real estate or hotel enterprises, this is a massive amount of data and would require an extreme amount of diligence to maintain. Due to the fact that it is unlikely that such a process could be done manually, the concept of insurance tracking software was devised.

What does insurance tracking software do?

Insurance tracking software allows for the easy collection, storage, and monitoring of all types of insurance related documentation and key data points related to insurance requirements. Not only does this software simplify the process of organizing pieces of documentation, but it also allows companies to easily retrieve global metrics related to all of their associated third-party entities. Companies can easily see how many of these entities meet their contract requirements, view detailed data for each, and update or delete information quickly.

Why is insurance tracking software necessary?

While it is theoretically possible to do this work by hand, it is not at all realistic. Storing physical copies of all required documentation would be a secretarial nightmare, and would require a large amount of space. Many companies end up tracking millions of individual documents; storing these digitally on a secure server makes much more sense than buying a few warehouses to fill with paper documents. In addition, many insurance tracking software packages are equipped to programmatically determine compliance for each document based on a pre-set array of flexible requirements. This automates the task of marking certain entities as compliant, and limits the amount of potential human error involved in the process.

Minimizing Risk

The bottom line is that in today’s extremely competitive business environment, minimizing potential risk is of the utmost importance. It is not uncommon for a single incident to sideline a business’s operational capability for a long period of time, if not forever. The only way to reliably and efficiently meet the demands of risk management in a fast-moving global economy is to leverage technology in order to streamline and automate much of the process. Many large corporations continually rely on insurance tracking software to effectively centralize and manage the ever-increasing amount of insurance related data and documentation that they must ensure meets their particular contractual requirements. This software makes the business world a better place by ensuring that those who experience loss have that loss recuperated, and those who are responsible for the incident are properly protected.

BCS Certus™

Business Credentialing Services (BCS) gives its clients access to one of the industry’s premier insurance tracking software packages: Certus™. This proprietary software is a flexible database customized to display a range of key data points including but not limited to vendor certificates of insurance, associated data, documents, and detailed compliance metrics. BCS also provides its clients with the CERTUS™ API, which is a web service that gives programmatic access to all client data, including files and metrics. With the API, clients can work with their internal IT department and automatically retrieve and organize CERTUS™ data through their existing systems seamlessly. These extremely valuable pieces of technology are made even better when coupled with the abundance of insurance expertise and professional customer service that is provided on a daily basis by the insurance experts at BCS.

Terrorism Risk Insurance Act

In the wake of the 9/11 terrorist attacks in New York City, nearly all commercial reinsurance contracts that renewed by the summer of 2002 included exclusions in coverage for acts of terrorism. Domestic insurers then in turn passed these exclusions onto their insureds, leaving a giant gap in coverage for many real estate owners, developers, sports teams, and entertainment venues. While under pressure from a variety of sources, namely the banking industry, Congress enacted the Terrorism Risk Insurance Act (TRIA) to serve as a “backstop” against losses arising from acts of terrorism.

TRIA essentially dissolved all legal ambiguity regarding the distribution of public and private compensation for insured losses due to acts of terrorism. The act, signed into law in 2002 by President George W. Bush, was extended twice in 2005 and 2007 and was set to expire once again on December 31st 2014. With TRIA in place, the markets were calmed and the terrorism based exclusions from insurance coverage were effectively eliminated.

Recently, the House of Representatives amended and passed the bill S. 2244 (Schumer, D-NY) which would have extended the effects of the TRIA for another seven years. There were multiple stipulations attached to the bill however which included:

  • Incrementally increased the program trigger from $100 million to $200 million
  • Incrementally increased the insurer copay from 15% to 20%
  • Increased the recuperation of government expenditures from $27.5 million to $37.5 million
  • Established the National Association of Registered Agents and Brokers, commonly known as NARAB II. This is a nonprofit board that would allow insurance agents and brokers to obtain certification to operate on a multistate basis.

The bill S. 2244 was then passed along to the Senate, which had to pass the bill in order for the TRIA not to expire. While there were some objections to agent provisions amended to the bill in the House, S. 2244 successfully passed in a 93-4 vote.

Many industries, namely banking, insurance, and construction, have praised the TRIA noting that it provides important stability and provides insurers with coverage that they would normally not be able to receive from private insurers otherwise. Jimi Grande, Senior Vice President of federal affairs for the National Associated of Mutual Insurance Companies, celebrated the TRIA decision noting “Before TRIA, the risk of terrorism and the lack of available coverage ground commercial development almost to a halt, costing billions of dollars and thousands of lost jobs.” Today, more than 60 percent of companies in the United States have terrorism coverage in place, allowing major construction and development projects to continue to occur nationwide.

TRIA is and continues to be an important factor in maintaining a stable United States economic climate. It will now be firmly intact through the year 2020, which should ease the fears of key markets. The obvious importance of a bill such as S. 2244 emphasizes the amount of influence that changes trends in the insurance industry have on the overall health and productivity of the United State economy.

The 3 Questions to Ask About Your Vendor Risk Program


Risk consulting firm Proviti recently highlighted questions a company should ask itself to determine if its risk management program was on track. Several stand out as being very relevant to establishing a vendor risk program that actually works.

The main focus of each is on moving beyond vague long-term goals and instead focusing on achievable objectives and accountability. Whether you are establishing a vendor auditing program or a supplier financial screening initiative, the following questions are key in determining if your risk program is on track.

1. Does our risk profile reflect the risks we face currently?

This seems like an obvious question but one which is easy to lose track of. Have the risks your organization faces increased or decreased over the last year? Clearly not all risks can be forecasted, but at the very least a comparison should be made between known risk exposure along with an honest assessment of whether you are better prepared to deal with them now versus one year ago. For example, by analyzing how many of your vendors are compliant with your terms and conditions today vs one year ago, you gain a sense of whether your overall vendor risk management approach is moving in the right or wrong direction.

2. Are directors and executive management on the same page in terms of risk appetite?

There must be a cohesive vision in place to work towards in executing a winning risk program. One approach is replacing overly vague company mission statements regarding risk with more granular, achievable objectives, and then revisit those objectives in 6 months to ask whether real progress is being made. Stagnation in executing a risk program often stems from setting overly lofty goals at the outset, and then having directors or operations managers not focusing on the same barometers of success over time, leaving nobody ultimately accountable.

To do this there must be accountability. Companies that succeed in executing a risk program usually find ways to eliminate redundant oversight of the program. Does a single person in your company have responsibility for owning a particular problem or program and reporting on its progress? As Proviti reports in their findings, the more institutional overlap an organization has with multiple people or departments sharing responsibility for the execution of a risk program and reporting on its success, the less likely that program is to succeed.

3. Is our risk culture encouraging the right behaviors? 

This is key. If you go to the trouble of auditing every single vendor who works on site at a facility, requiring them to submit updated COIs, endorsements, etc., that means nothing if nobody checks that info at the gate and lets them in regardless. Vendor standards for risk compliance must be enforced, otherwise it becomes very hard to continue enforcing standards, especially in today’s environment of fast traveling information where a non-essential exemption for one vendor can quickly lead to other vendors requesting similar exemptions.

The key to a comprehensive risk management program must include ensuring vendors are safe, compliant, insured and financially stable. This is critical to minimizing potential loss. If your vendor risk management program cannot satisfy the above 3 questions, now is the time to evaluate what needs to change.

Business Credentialing Services can help you analyze whether your risk program is passing or failing the above three questions.

US Companies are terrified of Reputational Risk, but Too Afraid to Do Anything About It

In its annual board of directors risk survey report, EisnerAmpner found a surprising disconnect among risk managers at publicly traded companies in the US.

Aside from financial risk, the top risk area companies are most concerned with is risk to reputation, far ahead of other top responses.

Screen Shot 2014-09-17 at 3.36.16 PM

However, despite so many companies being worried about reputational risk, the survey found that nearly 30% of companies were doing nothing to address the concern, despite many respondents also stating that implementing a risk program fell under their purview at their respective company.

One of the main reasons for the disconnect between companies worried about risk to reputation and a willingness to act on the risk is that many board members are unfamiliar with cybersecurity and social media, two large vectors of reputational risk. Because of their unfamiliarity, they are apprehensive to engage resources or spend time or money to address a risk that they may not fully understand.

This tension has the end result of companies operating with large gaps in their risk programs. Companies want to address reputational risk and cyber security, but lack of familiarity makes it easy to put off for yet another year.  As a result, less than 40% of the survey respondent publicly traded companies even have a fully implemented risk management program in place. Companies end up operating in a permanent quicksand of risk preparedness, a knowledge that something needs to be done to get out of the mess, but afraid to move in the wrong direction out of fear of sinking further.

This unfortunately misses a broad point of risk planning, which is that risk is interconnected. Whether it is risk to reputation, cyber security, supply chain, or vendors; a proactive and thoughtful risk program is preferable to none.

Contractor Focus – Florida Workers’ Comp Statute Declared Unconstitutional

Screen Shot 2014-08-22 at 11.31.06 AM

A court in Miami-Dade County, Florida found Section 440.11 of Florida’s Workers’ Compensation Act unconstitutional, ruling that it does not provide adequate medical care for injured workers or dollars to replace lost wages. Section 440.11 makes the Act the “exclusive” remedy available to injured Florida workers and their families for injuries or death incurred on the job.

 The court held that under US Supreme Court precedent, workers’ comp benefits must be “significant” if they are the only remedy available to the worker. Additionally, under a Florida Supreme Court ruling, Florida workers have a “fundamental right” to workers’ compensation benefits, meaning that statutes which impinge or discriminate on those benefits are subject to strict scrutiny under the 14th Amendment equal protection and due process clauses. In other words, because the Florida Constitution says workers’ comp benefits are a fundamental right, the legislature is not allowed to tinker with those rights without strict scrutiny and review from the courts.

The court reasoned that in 1968 when Florida enacted the Workers’ Comp act, making it the exclusive remedy for workers and their families, the act provided a total of 12 years possible benefits available to injured workers or deceased workers’ estates. However by 2003 that had been reduced to only 2 years worth of total possible benefits, along with some other impairment benefits available through the State and little else.

The court held that the 2003 law last modifying the Workers’ Compensation Act was unconstitutional as an exclusive remedy because it “is no longer an adequate exclusive replacement remedy in place of common law tort as required by the 14th Amendment to the U. S. Constitution or by the Florida Constitution.” 

The decision will likely be appealed, but has immediate short-term impact for employers and additional insureds currently operating in Florida.

Tracy Morgan Sues Wal-Mart for Negligence after Car Accident

Retailer Wal-mart is being sued by actor and comedian Tracy Morgan for negligence after the actor was seriously injured in an auto accident on June 7th, after a Wal-Mart truck struck the vehicle the actor and several others were passengers in.

In the civil complaint, lawyers for Mr. Morgan allege that Wal-Mart was negligent for, among other things, not factoring in their driver’s commute times to and from work in assiging routes for Wal-Mart drivers, with the result being sleep deprived drivers, and Wal-Mart possibly in violation of laws regulating how long commercial truckers may be behind the wheel.

Screen Shot 2014-07-31 at 3.18.17 PM

The driver, Kevin Roper, began his shift after a 700-mile commute from his home to a Wal-Mart facility.

The lawsuit, filed July 10 in U.S. District Court in Trenton, New Jersey. The case raises interesting issues of negligence on the part of companies that employ drivers and whether or not a driver’s commute to or from their home to work to begin a driving shift contributes in whole or in part to the negligence of a driver.