Create business response plans

Ideally, preparations include creating three solid business plans to follow in the event of a breach: an incident response plan, a disaster recovery plan and business continuity plan. Although developing these plans can be a challenge, especially for small teams that already have numerous responsibilities, having them will help you act quickly if your data is compromised.

Eight annual tasks for data security

To be sure that your data is secure, we recommend completing these eight tasks every year:

1. Review your organization’s policies and procedures, including your cyber insurance policy, and make cybersecurity protection updates based on breach trends.
2. Train all employees on cybersecurity awareness and provide additional training for leaders and highly privileged users.
3. Conduct regular phishing tests with your employees to train them on how to avoid falling for real attacks.
4. Test for network penetration risks to help secure potential hacker entry points.
5. Retain objective third-party experts who have cybersecurity experience assessing policies and procedures to identify areas for improvement.
6. Survey your vendors to ensure they are protecting your data in their environments; if they fall short of current best practices, seek new vendors.
7. Perform a tabletop exercise to prepare the organization to respond appropriately in the event of a cybersecurity incident.
8. Review your incident response plan and make updates needed based on new cybersecurity trends.

Completing these tasks will not only help protect your organization — it can also help you obtain adequate cyber liability insurance and demonstrate your efforts to monitor data providers in the event of federal audit, or worse, if lawsuits or regulatory actions arise because of a cybersecurity incident.

Here’s why: The bar is continually rising

Both cyber liability insurance companies and federal regulatory agencies are significantly increasing their scrutiny of how organizations protect their data.

The cost of a cybersecurity incident is now frequently calculated in millions of dollars, even for small organizations. As a result, cybersecurity insurance companies have heightened their requirements to qualify for insurance coverage. For example, the underwriting questionnaires about cybersecurity practices that are used by insurers to decide whether to do business with an organization have expanded from one or two questions to multiple pages of required information. Many of them now incorporate features from the National Institute of Standards’ Cybersecurity Framework as a basis for allowing or denying coverage.

Meanwhile, organizations that administer benefits under the regulatory umbrella of ERISA (e.g., self-administered fund offices, third-party administrators and the service providers for these organizations) are feeling increasing pressure to adhere to the Cybersecurity Best Practices Guidance that was published by the Department of Labor’s Employee Benefits Security Administration in April 2021. (We discussed that guidance in an April 21, 2021 insight; we also discussed cybersecurity data protection in a December 9, 2021 insight).

If you’re not performing multiple security-related activities each year, you may no longer meet carriers’ qualifications for cybersecurity insurance coverage and you may come under scrutiny during a DOL audit.

Two ways to make cybersecurity more manageable

Many organizations spend considerable time on cybersecurity by following an ad hoc process. Segal suggests the following two actions to help reduce the effort required to complete the recommended annual tasks:

• Develop a security calendar of activities. For example, annual reviews of policies and procedures might occur every January, employee phishing tests once per quarter and tabletop exercises in July. This prevents a flurry of overlapping activities. Plan the calendar to avoid your organization’s busiest periods.
• Hire one company that can either perform all activities or serve as a broker to coordinate those activities with their subcontractors. This will save you time that would otherwise be spent finding, hiring and managing multiple vendors. It may also save money because the required cybersecurity activities will be performed in an organized and timely manner. The company may also be able to use its leverage to negotiate discounts that you wouldn’t qualify for on your own. Moreover, you’ll have a single contact point for your cybersecurity needs. Relying on one company to oversee your organization’s cybersecurity activities is particularly helpful if you don’t have a full-time chief information security officer.

A solid strategy with multiple benefits

By following these recommendations, you can be confident that you’re following industry practice.

Additionally, your cyber liability insurance carrier will see that you’re protecting your organization from a breach, which will save time with future renewals.

Everybody wins.