We all protect our personal information to prevent I.D. fraud, phishing scams, and cybercrime, but how well is your advisor protecting your companies utility data?
Outsourcing creates value for most organizations in corporate America by controlling operational expenses and increasing efficiency. The use of contractors makes a great deal of sense in areas such as facilities maintenance, customer service, and more complex areas such as the management of energy and utility programs. The process of outsourcing has both risk and reward, all managed through service level agreements focused on key deliverables, but is energy and utility data security included?
How do you manage data security with third-parties?
Over the years, hacking scandals have hit companies like Target, eBay, Yahoo, Under Armour, TJX, and Marriott, highlighting the need for corporations to increase their vigilance about how their systems manage, secure, and protect customers’ data and of course, how they train their staff. The latter being critical as a high percentage of data breaches are a direct result of campaigns designed to exploit a weakness in security awareness. These are becoming increasingly sophisticated to bypass cybersecurity and gain backdoors into otherwise well-protected systems. So is security training being extended to contractors too? Organizations rarely apply in-house training programs for cybersecurity to advisors or energy and utilities. Most service agreements expect the third party to take care of data diligently, but what does that mean, and how is diligence measured?
It is worth taking a look at your service agreement and the remedies available in the event of a data breach. Almost every deal has a confidentiality clause, so it tends to be this alone that is relied upon to determine a violation and provide compensation through liability sections in the agreement if something happens. This lack of clarity can have two issues for the customer. Number one is that liability sections are typically capped at the contract value and number two, without specific cybersecurity provision, a huge grey area can quickly open up as companies defend what they consider “reasonable best efforts” to keep data confidential. The average cost of a single data breach is $3.86 million dollars, so you may want to reflect on whether your agreement will go far enough to protect and/or compensate you if sensitive data is exposed?
How do you know your advisor and their system security can be trusted?
As a company that manages hundreds of thousands of utility bills on behalf of customers, Vervantis was keen to formalize its approach to energy and utility data security and make sure its clients had a clear understanding of how the risks of managing their data are assessed and provide them with independent verification of the measures taken.
All utility bill processing and payment follows a structured protocol that complies with a System and Organization Controls for Service Organizations (SOC) audit annually, resulting in SOC 1 Type 2 compliance. When it comes to accurate financial reporting, SOC is an essential tool to keep everyone accountable and protected. A SOC 1 Type 2 report audits critical risk assessment procedures and determines whether a related control objective can be achieved on a specified date and attests these controls over a period of time. The report also describes the system and how it works to achieve the goals set to serve our customers.
Vervantis as a business is SOC 2 Type 2 compliant.
A SOC 2 Type 2 report generates internal control reports around five trust principles: data security, privacy, processing integrity, confidentiality, and availability. SOC 2 Type 2 is a framework for determining whether a service organization’s controls and practices are effective at safeguarding the privacy and security of its customers and client data. Put simply, if an enterprise is a service provider that handles customer data, it should be SOC 2 Type 2 compliant. SOC 2 Type 2 compliance demonstrates how important we value client utility data and our commitment to security as well as the privacy of our customers’ information—which is increasingly important in our connected digital age. While SOC 2 Type 2 compliance audits are annual, testing never stops with ongoing testing and verification of all our controls as well as third-party penetration testing of our system throughout the year.
Where is your risk?
At Vervantis, our utility specialists manage millions of dollars of utility bills on behalf of clients and frequently intercept fraudulent bills and scammer callers. While our internal checks and balances quickly expose fraud, it may not be as easy for busy Accounts Payable teams if key data is hacked, making detection much harder if fraudsters have access to privileged information increasing the validity of their scam.
However, it is the potential for reputational risk that brings the largest challenges to organizations, stakeholders and investors. In a recent survey by PWC, some 92% of people look toward companies to be proactive about data risk and 72% believe companies are better equipped than the government to take care of data. So when a company fails to take adequate precautions, so there is no doubt where people feel responsibility sits. While utility data is, of course, less sensitive than personal information or credit card details, leaks of information damage reputations.
Trust does mean peace of mind.
SOC 2 Type 2 provides valuable insight into an organization’s risk and security posture, vendor management, internal governance, and regulatory oversight, enhancing our reputation as a trustworthy organization and counterpart. The investment Vervantis has made in obtaining this level of compliance is a clear demonstration of how seriously we take cybersecurity challenges, and how important we felt it was for our customers to know our processes and company can be trusted. In addition to the SOC Type 2, Vervantis ensure compliance with the California Consumer Privacy Act (CCPA) amongst others.
Can the same be said of your current vendor?
Take a moment to ask your energy advisor or broker what they are doing to keep your data safe.
Can a Data Breach Still Happen?
Vervantis has clearly taken significant steps to safeguard client data but recognizes it is almost impossible to remove 100% of the risk, that said, with the measures taken, you are guaranteed it is less likely to happen with us than virtually every other energy consultant or broker in North America and we hold cybersecurity insurance bringing further peace of mind. Take a moment to ask your energy advisor or broker what they do to keep your data safe and I am certain you will be quite surprised at what you find out.
Help is on Hand.
If you want to make your utility bill processing or energy procurement process secure, we are here to help. Vervantis pride themselves on providing energy management software and utility solutions that comply with all aspects of system, process and data security. If you have questions or need more guidance just drop us a line and one of our specialists will help. You can contact us here