You can count on us to help provide the information you need to protect your business and serve your clients more effectively.

Why You Need Cyber Security Insurance and How to Get It

by | Aug 9, 2022

By Kevin Smallen, Chief Information Security Officer, PenChecks Trust®

In recent months, the topic of Cyber Security insurance has crept to the top of the charts for the Department of Labor’s (DOL) ERISA Advisory Council (EAC). Each year, the EAC picks topics it deems crucial to the administration of ERISA. For their May 6, 2022, meeting, they chose “Cyber Security insurance and employee benefit plans” as one of their topics. When the DOL and, specifically, the EAC take a closer look at a topic like Cyber Security insurance for those who handle employee benefit plan data, you can rest assured it will soon become a mandatory focus.

As cybercrimes continue to multiply exponentially, the need for the mitigating effects of Cyber Security insurance becomes a mandatory component for all companies carrying personally identifiable information (PII) regarding employee benefit plan protection. With the escalation of attacks having no end in sight, the cost of maintaining Cyber Security insurance coverage is also skyrocketing. In 2021 costs increased by more than 35%. At the same time, companies with PII to protect are finding it harder to qualify for this type of coverage as insurance companies that cover this risk are demanding more stringent controls for protecting the data you hold.

The good news is that insurance carriers are getting more educated about which cyber security controls are most effective in a layered approach. They’re also becoming more aware of controls needed to corral the vulnerabilities uncovered in cloud environments. Insurance companies now know what to look for and are using their cyber security experts to help assess organizations looking for insurance protections against a possible breach.

Five Must-Have’s to Qualify for Cyber Service Insurance

As a company responsible for employee benefit plan data, here’s what you need to qualify for affordable coverage:

1. Pick a security/compliance framework and run with it

Select an information security framework like NIST Cybersecurity Framework (CSF) or ISO 27001. Some insurance companies are now looking for this as a possible requirement for cyber security coverage.

2. Don’t skimp on network security

Implement company-wide multi-factor authentication (MFA). Don’t settle for merely turning on MFA for your email. Instead, implement it across the board for all your enterprise contact points, including email, company portals, firewall access, workstation logins, VPNs, etc. To protect against social engineering of your users – the #1 cause of breached entries – invest in a robust Security Awareness training regimen focused on phishing and ransomware techniques.

3. Vendor due diligence

Understand and vet your current vendors’ security and compliance at least annually. Always vet a potential vendor as part of your selection process before pulling the trigger on a decision.

4. Incident Response Plan

Security incidents are a matter of “when” not “if”. Unfortunately, no system is 100% secure, so have an incident response plan ready and test it once a year at a minimum. I have seen some insurance companies inquiring about retaining third-party incident response if your Response Team is not up to the task of responding to and communicating breaches. Insurance companies need to feel confident you are prepared to respond to an incident before they will offer you coverage.

5. SOC 2 Compliance

Bite the bullet and head towards SOC 2 (Service Organization Control) compliance – an auditing procedure that ensures service providers securely manage data to protect the interests of the organization and the privacy of its clients.

Securing Cyber Security insurance is fast becoming the only path to acquiring new business and keeping current clients. If your company has employee benefit plan data to protect, understanding your baselines to qualify for and maintain this vital coverage is of paramount importance to the life of your business.

Kevin Smallen MS, CISSP, ITIL-F is PenChecks Trust’s Chief Information Security Officer with more than three decades of experience in the Information Technology and Data Security field. Roles in systems engineering/architecture and technical management have enabled him to become a well-rounded information security specialist. Kevin holds a Master of Science in Cybersecurity from Liberty University and continues to approach cybersecurity objectives with Confidentiality, Integrity, and Availability (CIA) as the main tenants of how an organization handles data when it is stored, transmitted, and processed.


Did you find this content helpful?

Related Insights


Submit a Comment

Your email address will not be published. Required fields are marked *

five + sixteen =


SECURE 2.0 Force Out Limit and Plan Audits

The Economic Growth and Tax Relief Reconciliation Act of 2001, better known as EGTRRA, was signed by President Bush on June 7, 2001. EGTRRA made significant changes to income tax, capital gains tax, and estate and gift tax laws.

SECURE 2.0 Provides New Tools to Assist Plan Participants In Crisis

The primary goal of retirement plans is to provide income at retirement, but defined contribution plans have been permitted to make some distributions while participants are employed. The most common form of distribution to participants who are younger than age 59 ½…

Recent Posts

Economic Group Pension Services (EGPS)

Company Situation:EGPS assists plan sponsors and TPAs with plan terminations, including processing more than 1,000 terminated participant distributions each year. Some of the terminations involve large numbers of participant distributions, others are small plans....

Normandeau Associates, Inc.

Company Situation:An environmental consulting firm headquartered in Bedford, New Hampshire, Normandeau Associates became an ESOP company in 2000 and has been 100% employee owned since 2012. With 250 participants in the ESOP, the company struggled to process the annual...

Blue Ridge ESOP Associates

Company Situation:As the largest independent ESOP and 401(k) third-party administration and recordkeeping firm, Blue Ridge works with ESOP and 401(k) plans ranging in size from 10 to over 30,000 employees. Although their services include distribution services, Blue...

Embrace Artificial Intelligence or Get Left Behind

Artificial Intelligence is all the rage in business talks, influencer marketing, and company press releases. Having completed many cross-industry AI & Automation implementations, I have seen first-hand how the technological trajectory in all industries, including payroll and benefits administration, is changing with increased adoption and implementation of AI and Automation.


Have an idea for a topic you don’t see here? Send us an email and we’ll look into it.

Subscribe to our newsletter to receive regular email updates on the latest happenings at PenChecks Trust® and in the retirement plan services industry.


Follow Us