By Kevin Smallen, Chief Information Security Officer, PenChecks Trust®
In recent months, the topic of Cyber Security insurance has crept to the top of the charts for the Department of Labor’s (DOL) ERISA Advisory Council (EAC). Each year, the EAC picks topics it deems crucial to the administration of ERISA. For their May 6, 2022, meeting, they chose “Cyber Security insurance and employee benefit plans” as one of their topics. When the DOL and, specifically, the EAC take a closer look at a topic like Cyber Security insurance for those who handle employee benefit plan data, you can rest assured it will soon become a mandatory focus.
As cybercrimes continue to multiply exponentially, the need for the mitigating effects of Cyber Security insurance becomes a mandatory component for all companies carrying personally identifiable information (PII) regarding employee benefit plan protection. With the escalation of attacks having no end in sight, the cost of maintaining Cyber Security insurance coverage is also skyrocketing. In 2021 costs increased by more than 35%. At the same time, companies with PII to protect are finding it harder to qualify for this type of coverage as insurance companies that cover this risk are demanding more stringent controls for protecting the data you hold.
The good news is that insurance carriers are getting more educated about which cyber security controls are most effective in a layered approach. They’re also becoming more aware of controls needed to corral the vulnerabilities uncovered in cloud environments. Insurance companies now know what to look for and are using their cyber security experts to help assess organizations looking for insurance protections against a possible breach.
Five Must-Have’s to Qualify for Cyber Service Insurance
As a company responsible for employee benefit plan data, here’s what you need to qualify for affordable coverage:
1. Pick a security/compliance framework and run with it
Select an information security framework like NIST Cybersecurity Framework (CSF) or ISO 27001. Some insurance companies are now looking for this as a possible requirement for cyber security coverage.
2. Don’t skimp on network security
Implement company-wide multi-factor authentication (MFA). Don’t settle for merely turning on MFA for your email. Instead, implement it across the board for all your enterprise contact points, including email, company portals, firewall access, workstation logins, VPNs, etc. To protect against social engineering of your users – the #1 cause of breached entries – invest in a robust Security Awareness training regimen focused on phishing and ransomware techniques.
3. Vendor due diligence
Understand and vet your current vendors’ security and compliance at least annually. Always vet a potential vendor as part of your selection process before pulling the trigger on a decision.
4. Incident Response Plan
Security incidents are a matter of “when” not “if”. Unfortunately, no system is 100% secure, so have an incident response plan ready and test it once a year at a minimum. I have seen some insurance companies inquiring about retaining third-party incident response if your Response Team is not up to the task of responding to and communicating breaches. Insurance companies need to feel confident you are prepared to respond to an incident before they will offer you coverage.
5. SOC 2 Compliance
Bite the bullet and head towards SOC 2 (Service Organization Control) compliance – an auditing procedure that ensures service providers securely manage data to protect the interests of the organization and the privacy of its clients.
Securing Cyber Security insurance is fast becoming the only path to acquiring new business and keeping current clients. If your company has employee benefit plan data to protect, understanding your baselines to qualify for and maintain this vital coverage is of paramount importance to the life of your business.
Kevin Smallen MS, CISSP, ITIL-F is PenChecks Trust’s Chief Information Security Officer with more than three decades of experience in the Information Technology and Data Security field. Roles in systems engineering/architecture and technical management have enabled him to become a well-rounded information security specialist. Kevin holds a Master of Science in Cybersecurity from Liberty University and continues to approach cybersecurity objectives with Confidentiality, Integrity, and Availability (CIA) as the main tenants of how an organization handles data when it is stored, transmitted, and processed.