Cybersecurity continues to increase in importance as cybercriminals become more resourceful and attacks rise exponentially. That’s why it’s essential for plan sponsors to prepare for a possible data breach.
Ideally, preparations include creating three solid business plans to follow in the event of a breach: an incident response plan, a disaster recovery plan and business continuity plan. Although developing these plans can be a challenge, especially for small teams that already have numerous responsibilities, having them will help you act quickly if your data is compromised.
To be sure that your data is secure, we recommend completing these eight tasks every year:
Completing these tasks will not only help protect your organization — it can also help you obtain adequate cyber liability insurance and demonstrate your efforts to monitor data providers in the event of federal audit, or worse, if lawsuits or regulatory actions arise because of a cybersecurity incident.
Both cyber liability insurance companies and federal regulatory agencies are significantly increasing their scrutiny of how organizations protect their data.
The cost of a cybersecurity incident is now frequently calculated in millions of dollars, even for small organizations. As a result, cybersecurity insurance companies have heightened their requirements to qualify for insurance coverage. For example, the underwriting questionnaires about cybersecurity practices that are used by insurers to decide whether to do business with an organization have expanded from one or two questions to multiple pages of required information. Many of them now incorporate features from the National Institute of Standards’ Cybersecurity Framework as a basis for allowing or denying coverage.
Meanwhile, organizations that administer benefits under the regulatory umbrella of ERISA (e.g., self-administered fund offices, third-party administrators and the service providers for these organizations) are feeling increasing pressure to adhere to the Cybersecurity Best Practices Guidance that was published by the Department of Labor’s Employee Benefits Security Administration in April 2021. (We discussed that guidance in an April 21, 2021 insight; we also discussed cybersecurity data protection in a December 9, 2021 insight).
If you’re not performing multiple security-related activities each year, you may no longer meet carriers’ qualifications for cybersecurity insurance coverage and you may come under scrutiny during a DOL audit.
Many organizations spend considerable time on cybersecurity by following an ad hoc process. Segal suggests the following two actions to help reduce the effort required to complete the recommended annual tasks:
By following these recommendations, you can be confident that you’re following industry practice.
Additionally, your cyber liability insurance carrier will see that you’re protecting your organization from a breach, which will save time with future renewals.
This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.
Don't miss out. Join 16,000 others who already get the latest insights from Segal.