Blog

You can count on us to help provide the information you need to protect your business and serve your clients more effectively.

Why You Need Cyber Security Insurance and How to Get It

by | Aug 9, 2022

By Kevin Smallen, Chief Information Security Officer, PenChecks Trust®

In recent months, the topic of Cyber Security insurance has crept to the top of the charts for the Department of Labor’s (DOL) ERISA Advisory Council (EAC). Each year, the EAC picks topics it deems crucial to the administration of ERISA. For their May 6, 2022, meeting, they chose “Cyber Security insurance and employee benefit plans” as one of their topics. When the DOL and, specifically, the EAC take a closer look at a topic like Cyber Security insurance for those who handle employee benefit plan data, you can rest assured it will soon become a mandatory focus.

As cybercrimes continue to multiply exponentially, the need for the mitigating effects of Cyber Security insurance becomes a mandatory component for all companies carrying personally identifiable information (PII) regarding employee benefit plan protection. With the escalation of attacks having no end in sight, the cost of maintaining Cyber Security insurance coverage is also skyrocketing. In 2021 costs increased by more than 35%. At the same time, companies with PII to protect are finding it harder to qualify for this type of coverage as insurance companies that cover this risk are demanding more stringent controls for protecting the data you hold.

The good news is that insurance carriers are getting more educated about which cyber security controls are most effective in a layered approach. They’re also becoming more aware of controls needed to corral the vulnerabilities uncovered in cloud environments. Insurance companies now know what to look for and are using their cyber security experts to help assess organizations looking for insurance protections against a possible breach.

Five Must-Have’s to Qualify for Cyber Service Insurance

As a company responsible for employee benefit plan data, here’s what you need to qualify for affordable coverage:

1. Pick a security/compliance framework and run with it

Select an information security framework like NIST Cybersecurity Framework (CSF) or ISO 27001. Some insurance companies are now looking for this as a possible requirement for cyber security coverage.

2. Don’t skimp on network security

Implement company-wide multi-factor authentication (MFA). Don’t settle for merely turning on MFA for your email. Instead, implement it across the board for all your enterprise contact points, including email, company portals, firewall access, workstation logins, VPNs, etc. To protect against social engineering of your users – the #1 cause of breached entries – invest in a robust Security Awareness training regimen focused on phishing and ransomware techniques.

3. Vendor due diligence

Understand and vet your current vendors’ security and compliance at least annually. Always vet a potential vendor as part of your selection process before pulling the trigger on a decision.

4. Incident Response Plan

Security incidents are a matter of “when” not “if”. Unfortunately, no system is 100% secure, so have an incident response plan ready and test it once a year at a minimum. I have seen some insurance companies inquiring about retaining third-party incident response if your Response Team is not up to the task of responding to and communicating breaches. Insurance companies need to feel confident you are prepared to respond to an incident before they will offer you coverage.

5. SOC 2 Compliance

Bite the bullet and head towards SOC 2 (Service Organization Control) compliance – an auditing procedure that ensures service providers securely manage data to protect the interests of the organization and the privacy of its clients.

Securing Cyber Security insurance is fast becoming the only path to acquiring new business and keeping current clients. If your company has employee benefit plan data to protect, understanding your baselines to qualify for and maintain this vital coverage is of paramount importance to the life of your business.


Kevin Smallen MS, CISSP, ITIL-F is PenChecks Trust’s Chief Information Security Officer with more than three decades of experience in the Information Technology and Data Security field. Roles in systems engineering/architecture and technical management have enabled him to become a well-rounded information security specialist. Kevin holds a Master of Science in Cybersecurity from Liberty University and continues to approach cybersecurity objectives with Confidentiality, Integrity, and Availability (CIA) as the main tenants of how an organization handles data when it is stored, transmitted, and processed.


PTCA-2022034

Did you find this content helpful?

Related Insights
Comments

0 Comments

Submit a Comment

Your email address will not be published.

5 × 1 =

Topics

How to Fight Back Against Social Engineering Hackers

Have you or your business fallen victim to a social engineering scam? Are you concerned about having sensitive client data stolen from your computer network by a cyber hacker? If so, you’re not alone, as cyber security has become an ever-growing threat to individuals and companies around the globe.

SSRA and RSSA: The Next Step in GID (Getting It Done)?

I learned a long time ago that laws can be like sausage. They may look great but you don’t want to see them being made.1 That may also help explain how we get some of the unusual, sometimes pithy acronyms used for new legislation.

U.S. Supreme Court Rules On Fiduciary Responsibilities

Are plan fiduciaries protected from excessive fee lawsuits just because they offer participants a menu of investment funds that includes some low-fee investment choices? Or are plan sponsors and other fiduciaries required to do more than that?

PenChecks Named a San Diego Top Workplace

PenChecks Named a San Diego Top Workplace for 2021 in the San Diego Union-Tribune’s (UT San Diego) annual “Top Workplaces” contest. And now, thanks to our awesome employees, all of San Diego will know about it.

Recent Posts

September 26 – 28 / The NCEO Fall ESOP Forum

Hilton Ballpark St. Louis / Saint Louis, MOPenChecks is proud to sponsor this year’s NCEO Fall ESOP Forum. Come by and meet our team, connect, and take advantage of unlimited opportunities to hear from the members of the employee ownership community!

October 23 – 26 / ASPPA Annual 2022

Gaylord National Resort & Convention Center / National Harbor, MDLevel Up at ASPPA Annual 2022 and come meet the PenChecks Team, booth #205! PenChecks is proud to sponsor this year’s event.

November 2 – 4 / Randug 2022

Sandpearl Resort / Clearwater Beach, FLWe will be in beautiful Clearwater Beach and look forward to connecting. PenChecks is proud to sponsor this year’s event. See you there!

November 6 – 8 / The Spark Forum

The Breakers / Palm Beach, FLJoin the PenChecks Team in Palm Beach for the 2022 Spark Forum and connect with your fellow executives in the Retirement Industry!

Archives

Have an idea for a topic you don’t see here? Send us an email and we’ll look into it.

Subscribe to our newsletter to receive regular email updates on the latest happenings at PenChecks Trust® and in the retirement plan services industry.

SUBSCRIBE

Resources
Follow Us
Send this to a friend
Hi,
I saw this on the PenChecks Trust® website and thought you may be interested in this: https://penchecks.com/why-you-need-cyber-security-insurance-and-how-to-get-it/