A Guide to Buying and Maintaining Cyberinsurance

Now more than ever, plan sponsors need to understand what types of coverage are available and what will fit them best.

Employee benefits and retirement plans are a natural target for cybercriminals. Allie Itami, a partner in the law firm Lathrop GPM LLP, notes that health and welfare and retirement plans have large amounts of valuable data, including personal or sensitive information about employees and their beneficiaries.

Plan regulators recognize the problem, as evidenced by the Department of Labor’s recent cybersecurity guidance update, compliance assistance release 2024-01, which includes, “You may want to require insurance coverage such as professional liability and errors and omissions liability insurance, cyber liability and privacy breach insurance, and/or fidelity bond/blanket crime coverage.”

Get more!  Sign up for PLANSPONSOR newsletters.

Does Your Plan Need Cyberinsurance?

Itami says the DOL guidance assumes that insurance is available for cybersecurity breaches or incidents but does not specify cyberinsurance as the only insurance type. Cyberinsurance covers loss and costs associated with a data breach but does not typically offer coverage related to the theft of money.

“The loss of account balances is more likely to be covered by a crime- or fiduciary liability policy,” Itami notes. “So simply purchasing a cybersecurity policy for a plan may not provide all the coverage desired.”

Carol Buckmann, a partner in Cohen & Buckmann P.C., says plan sponsors should understand that their fiduciary liability policy is not a substitute for cyberinsurance. State and other laws impose cybersecurity obligations, so there may not be any allegations of Employee Retirement Income Security Act fiduciary breach made when there is a security breach. As the DOL’s release noted, welfare plans’ fiduciaries have ERISA obligations to keep plan assets and data safe, even though they may also be subject to HIPAA’s Security Rule. “There was confusion about that, since prior DOL guidance implied it but didn’t clearly spell it out,” says Buckmann.

A general cyberinsurance policy’s coverage can be limited. Itami says that although there could be a carve-out for ERISA plans in a general cyberinsurance policy, there is more likely an ERISA fiduciary breach exclusion. She says this situation creates a question of whether a cybersecurity breach is an ERISA fiduciary duty breach, triggering the exclusion.

Buying a Policy

The cyberinsurance market is intricate, according to Richard Clarke, chief insurance officer of Colonial Surety Co. Some product sellers are more knowledgeable than others, and some have access to more potential markets. Cyberinsurance is not standardized, so sponsors need basic knowledge to evaluate insurance options and policy details properly.

Buckmann explains that cyberinsurance is not like an ERISA bond, which is relatively standard across insurers. She says different types of digital coverage are available: “For example, some policies may cover only employees of the plan sponsor, while others may cover third parties.”

A November 2023 report from tax and advisory firm BDO USA recommended that plan sponsors considering retirement plan cybersecurity insurance ask which party—the plan or the sponsor—would be liable for a cybersecurity breach. The report suggested other points to review, including “identifying who is the insured party (the sponsor, the plan or both?), who is responsible for purchasing the policy (the sponsor or the plan?), and the full scope of the policy (in other words, what is or is not covered in the event of a cyber breach?).”

“It is preferrable to remove doubt by naming a plan as a covered entity and seeking explicit coverage for ERISA fiduciary breaches, as well as nonfiduciary cybersecurity breaches,” Itami cautions. “Additionally, if the ERISA plan is the only insured, the fiduciary might more easily conclude that use of plan assets for obtaining the policy is appropriate.”

Clarke says insurance underwriters are becoming more rigid in their decisionmaking, relying heavily on applications and supplemental information before issuing coverage.

“For example, it is almost mandatory for insurance applicants to have multi-factor authentication in place as a prerequisite for obtaining cyberinsurance,” he says. “Some underwriters even require more extensive internal protections than just MFA, depending on the applicant’s risk characteristics.”

In Buckmann’s experience, plan sponsors often wonder how much cybersecurity coverage to buy. She cites one expert whose stock answer is to “buy as much as you can afford.” The reasoning is that a cybersecurity breach has many potentially expensive consequences. “These can include costs of a breach response, ransomware payments, business interruptions or reputational harm, losses from cybercrime and liabilities to third parties,” says Buckmann. “Plan sponsors should not underestimate their potential exposure in deciding how much insurance to purchase.”

Maintaining a Policy

A 2023 study sponsored by Recast Software and conducted by Ponemon Institute, a Michigan-based research center dedicated to privacy, data protection and information security, supports Clarke’s impression of more rigorous underwriting: 50% of the participating information technology and security respondents said it was difficult or very difficult to comply with their insurer’s requirements. More than half reported that their insurer required regular scanning for system vulnerabilities; 43% reported a requirement to scan multiple times each week.

Insurers will want to see plans implement steps recommended by the DOL and other sources of best practices, says Buckmann. Those sources could include the best practices framework of the National Institute of Standards and Technology or the SPARK [Society of Professional Asset Managers and Recordkeepers] Institute.

“The types of practices they will want to see include annual third-party audits of their systems, encryption of sensitive data, employee training, monitoring security of remote workers, good controls on access to data and service provider reviews and assessments,” Buckmann adds.

«