You can count on us to help provide the information you need to protect your business and serve your clients more effectively.

Why You Need Cyber Security Insurance and How to Get It

by | Aug 9, 2022

By Kevin Smallen, Chief Information Security Officer, PenChecks Trust®

In recent months, the topic of Cyber Security insurance has crept to the top of the charts for the Department of Labor’s (DOL) ERISA Advisory Council (EAC). Each year, the EAC picks topics it deems crucial to the administration of ERISA. For their May 6, 2022, meeting, they chose “Cyber Security insurance and employee benefit plans” as one of their topics. When the DOL and, specifically, the EAC take a closer look at a topic like Cyber Security insurance for those who handle employee benefit plan data, you can rest assured it will soon become a mandatory focus.

As cybercrimes continue to multiply exponentially, the need for the mitigating effects of Cyber Security insurance becomes a mandatory component for all companies carrying personally identifiable information (PII) regarding employee benefit plan protection. With the escalation of attacks having no end in sight, the cost of maintaining Cyber Security insurance coverage is also skyrocketing. In 2021 costs increased by more than 35%. At the same time, companies with PII to protect are finding it harder to qualify for this type of coverage as insurance companies that cover this risk are demanding more stringent controls for protecting the data you hold.

The good news is that insurance carriers are getting more educated about which cyber security controls are most effective in a layered approach. They’re also becoming more aware of controls needed to corral the vulnerabilities uncovered in cloud environments. Insurance companies now know what to look for and are using their cyber security experts to help assess organizations looking for insurance protections against a possible breach.

Five Must-Have’s to Qualify for Cyber Service Insurance

As a company responsible for employee benefit plan data, here’s what you need to qualify for affordable coverage:

1. Pick a security/compliance framework and run with it

Select an information security framework like NIST Cybersecurity Framework (CSF) or ISO 27001. Some insurance companies are now looking for this as a possible requirement for cyber security coverage.

2. Don’t skimp on network security

Implement company-wide multi-factor authentication (MFA). Don’t settle for merely turning on MFA for your email. Instead, implement it across the board for all your enterprise contact points, including email, company portals, firewall access, workstation logins, VPNs, etc. To protect against social engineering of your users – the #1 cause of breached entries – invest in a robust Security Awareness training regimen focused on phishing and ransomware techniques.

3. Vendor due diligence

Understand and vet your current vendors’ security and compliance at least annually. Always vet a potential vendor as part of your selection process before pulling the trigger on a decision.

4. Incident Response Plan

Security incidents are a matter of “when” not “if”. Unfortunately, no system is 100% secure, so have an incident response plan ready and test it once a year at a minimum. I have seen some insurance companies inquiring about retaining third-party incident response if your Response Team is not up to the task of responding to and communicating breaches. Insurance companies need to feel confident you are prepared to respond to an incident before they will offer you coverage.

5. SOC 2 Compliance

Bite the bullet and head towards SOC 2 (Service Organization Control) compliance – an auditing procedure that ensures service providers securely manage data to protect the interests of the organization and the privacy of its clients.

Securing Cyber Security insurance is fast becoming the only path to acquiring new business and keeping current clients. If your company has employee benefit plan data to protect, understanding your baselines to qualify for and maintain this vital coverage is of paramount importance to the life of your business.

Kevin Smallen MS, CISSP, ITIL-F is PenChecks Trust’s Chief Information Security Officer with more than three decades of experience in the Information Technology and Data Security field. Roles in systems engineering/architecture and technical management have enabled him to become a well-rounded information security specialist. Kevin holds a Master of Science in Cybersecurity from Liberty University and continues to approach cybersecurity objectives with Confidentiality, Integrity, and Availability (CIA) as the main tenants of how an organization handles data when it is stored, transmitted, and processed.


Did you find this content helpful?

Related Insights


Submit a Comment

Your email address will not be published. Required fields are marked *

14 − 2 =


Culture Drives Top Workplace for PenChecks

For the second year in a row PenChecks Trust® has been recognized as a Top Workplace in the San Diego UnionTribune’s annual “Top Workplaces” survey. We are proud to receive this award…

How to Fight Back Against Social Engineering Hackers

Have you or your business fallen victim to a social engineering scam? Are you concerned about having sensitive client data stolen from your computer network by a cyber hacker? If so, you’re not alone, as cyber security has become an ever-growing threat to individuals and companies around the globe.

SSRA and RSSA: The Next Step in GID (Getting It Done)?

I learned a long time ago that laws can be like sausage. They may look great but you don’t want to see them being made.1 That may also help explain how we get some of the unusual, sometimes pithy acronyms used for new legislation.

U.S. Supreme Court Rules On Fiduciary Responsibilities

Are plan fiduciaries protected from excessive fee lawsuits just because they offer participants a menu of investment funds that includes some low-fee investment choices? Or are plan sponsors and other fiduciaries required to do more than that?

Recent Posts

Who Knew Distribution Processing Could Be So Simple?

Learn how Amplify – PenChecks’ powerful cloud-based processing platform that automates and streamlines the retirement distributions workflow – has become the standard platform for all the company’s clients and how it keeps getting better.Learn more about...

Why Our Clients Believe in PenChecks

PenChecks Vice President and National Sales Director Scott Okrasinski relates how the company’s corporate values and principles have played a key role in PenChecks’ continuing growth and long-term relationships with clients.Learn more about PenChecks:

Over 29 Years of Industry Leadership

PenChecks Trust® President and CEO Spiro Preovolos talks about how PenChecks became a leader in the retirement plan distribution industry by doing what nobody else was doing.Learn more about PenChecks:

How One Idea Forever Changed Distribution Processing

For nearly 30 years, PenChecks has leveraged its people and technology to support their retirement plan clients efficiently and effectively. Learn how PenChecks can be big enough to process billions of dollars in distributions each year but small enough to care. Learn...

April 2 – 4 / NAPA 401(k) Summit

San Diego Convention Center / San Diego, CAThe NAPA 401(k) Summit is the nation’s largest and most prestigious conference for retirement plan advisors. PenChecks will be attending. Come meet our team at booth 226!


Have an idea for a topic you don’t see here? Send us an email and we’ll look into it.

Subscribe to our newsletter to receive regular email updates on the latest happenings at PenChecks Trust® and in the retirement plan services industry.


Follow Us
Send this to a friend
I saw this on the PenChecks Trust® website and thought you may be interested in this: