Cyber insurance for 401(k)s rises in cost, demand

Employers are increasingly aware of the cybersecurity threats facing their 401(k) plans, and some are seeking insurance coverage specifically for that.

It’s an issue the Department of Labor is watching. Earlier this year the regulator issued guidance for plan fiduciaries, and it recently began auditing plans, according to one law firm whose clients have been contacted.

Today, one insurer, Colonial Surety, announced that it has added cybersecurity liability to its fiduciary insurance product, citing the DOL’s guidance as part of the necessity for coverage.

“The new package … [protects] assets from claims of fiduciary breach, as well as cyber liability coverage to safeguard employees’ personal data and assets against cybersecurity threats,” the company said in its announcement. “The new product enables plan sponsors to respond to recent updates to the DOL guidance on cybersecurity and data privacy, as well as protect against one of the most significant risks facing businesses today.”

The new option “provides coverage for the costs of legal services, computer forensic services, public relations and crisis management expenses, notification services, call-center services, credit-monitoring, identity-monitoring or other personal fraud or loss-prevention solutions. It also includes defense and indemnity from covered lawsuits by third parties,” according to the firm.

One of the major providers of fiduciary liability insurance, Euclid Specialty Managers, has offered cybersecurity insurance for plan sponsors for some time. Recently, the market has changed, said Daniel Aronowitz, managing principal at the firm.

“There is a dynamic change in the cyber market,” Aronowitz said. “What’s changed is the constant news about ransomware attacks and the fear that [plan sponsors] could be next.”

The DOL’s guidance was far from revolutionary and didn’t address whether a cyber breach could be considered a failure of fiduciary duty, even while helping to ensure cybersecurity is a fiduciary responsibility, he said.

“In the last two years, most plan sponsors have realized they need to have cyber insurance,” he said.

But coverage is now harder to get, and it costs more, largely due to the higher volume of attacks that resulted in higher loss ratios for insurers.

“Rates have skyrocketed,” he said, by 35% to 60% over the past six months. “Coverage restrictions are now more dramatic.”

In years past, insurers approached underwriting more simply, looking at the industry in which the insured operated, for example. Now, Aronowitz said, underwriting is done on an individual basis — and applicants need to show that they have good cybersecurity practices. That includes having multifactor authentication, data backups in a secondary location that are updated regularly and having the ability to put all critical systems back online within 10 days of an attack, he said.

“You would be surprised at how many plan sponsors cannot meet these three thresholds cybersecurity measures,” he said in an earlier email. “We have found that even some major plan [third-party administrators] do not have universal multifactor authentication.”

So far, the vast majority of the coverage is used for first-party claims, such as the costs and effort an employer must incur to alert people about a data breach, he said. That can include crisis management and forensic and legal expenses of identifying the location and scope of the breach. It can also cover costs associated with regulatory investigations or fines.

There are also instances where a fiduciary gets conned into paying the wrong party — such as a $500,000 vendor payment that goes out to a malicious party posing as a record keeper, Aronowitz noted.

There appears to be a slow rise in incidents of third-party damage, such as an individual participant’s account being raided. In most cases, plan record keepers have handled those situations and made participants whole, but if social engineering to get 401(k) assets becomes more prevalent, that could change, Aronowitz noted.

“We are seeing more 401(k) accounts being hacked,” he said.

Getting coverage

Most often, employers with cybersecurity coverage that extends to their benefit plans opt for it as part of a larger cybersecurity policy for the company, Aronowitz said.

“Most plan sponsors purchase cyber on an entity basis, and not necessarily just for their sponsored plans,” he said in the email. Alternatively, “multiemployer, governmental and other stand-alone trust purchase cyber directly that cover the plans.”

Some plan sponsors might be unaware that they lack cybersecurity insurance for their benefit plans, or they might mistakenly think their fiduciary liability policy covers it, said Jason Roberts, CEO of the Pension Resource Institute.

“The basic exclusion on typical insurance policies will exclude anything having to do with benefit plans,” Roberts said. Some employers have negotiated to have benefit plans covered, he noted.

But for many sponsors, “it’s not on their radar, because they believe those attacks will be focused on the record keeper,” he said. “What they fail to recognize is [the service provider] disclaiming six ways from Sunday their liability and responsibility.”

Related Topics: Cybersecurity, Department of Labor