Cyber insurance is a critical component of the cyber security risk management program necessary to protect employee benefit plans and participant retirement assets, but it is largely misunderstood. To wit, PLANSPONSOR has detailed an October 5 panel hosted by the National Institute of Retirement Security on how plan sponsors can combat cybercrime. How Plan Sponsors Can Combat Cybercrime | PLANSPONSOR In the article, PLANSPONSOR summarized thoughts from a prominent fiduciary lawyer on the perceived lack of value of cyber insurance for employees benefits plans. The lawyer opined that cyber insurance for benefit plans is (1) expensive and (2) very limited. These are common myths about cyber insurance, but they are not correct. We did not participate in the conference, and are relying exclusively on the article. But we want to take this opportunity to rebut these misperceptions about cyber insurance, particularly with respect to protecting employee benefit plans.
The key misunderstanding of the seminar panelists is that most plan sponsors do not even try to secure targeted cyber coverage for just their employee benefit plans. Instead, except for multiemployer and other independent trust funds, nearly every single-employer plan sponsor is relying on cyber coverage issued to the corporate entity to protect their employee benefit plan. The cyber coverage for the corporate entity is not designed to cover employee benefit plan risks cost effectively because the plan sponsor has many extraneous corporate risks. We believe the best fiduciary practice is to purchase dedicated cyber and crime coverage for sponsored plans. If more fiduciaries sought dedicated coverage for sponsored plans – apart from the coverage of their sponsoring entity – they would find that they can secure very affordable and expansive coverage to protect their plan participants from cyber events, including participant account theft. The current way plan fiduciaries seek cyber and crime coverage needs to change, and we explain why below.
Cyber Insurance is Not Expensive, Especially if Plan Sponsors Seek Coverage Dedicated to their Sponsored Plans
In the article, the Groom lawyer reportedly “explained that his clients are spending a lot of resources on cybersecurity insurance, and that for some the costs of premiums are so high that they have abandoned insurance altogether.” Premiums for cyber insurance have gone up dramatically in the last two years. The premiums are coming off very low historical rates, but there is no denying that premiums are double to triple for many companies in the last several years. The premium increases are based on the skyrocketing levels of ransomware and other cyber crime, even though ransomware claims have declined since the start of Russia’s war with Ukraine. The reason is that most cyber crime is based in these two countries, and they are distracted by war.
We try not to criticize the business model of high-priced ERISA lawyers, and hope they stay in their lane when opining on whether cyber insurance is cost effective. But there is a key point missing with respect to benefit plans. Most single-employer plan sponsors do not even attempt to seek coverage dedicated to just their employee benefit plans. Instead, they are relying on coverage purchased for the entire corporate entity. For example, a large American corporation like Amazon or Ford might seek cyber coverage for the entire corporation, but we have seen no evidence of single-employer plan sponsors seeking cyber or third-party crime coverage dedicated for their sponsored plans to protect against participant account theft or other cyber crime discussed in the seminar. If they did, however, they would find it is very economical to cover their employee benefit plan cyber and crime risk.
How can you know that focused cyber insurance for sponsored plans is affordable and cost-effective? Because multiemployer plans have been purchasing cyber insurance for years, and even though the premiums are now higher, the coverage is reasonably priced for plans that can demonstrate effective cyber security controls. For years, plans could secure a $1 million limit of cyber coverage for a range of $1,200 to $10,000, with many policies below $2,500, depending on the size of contributions and/or the number of records handled by the plan. The premiums were dirt cheap. That has changed, but the premiums are still reasonable. The cost of a $1 million limit of coverage now ranges from as low as $2,000-$11,000 for plans with less than $50 million in annual contributions. Plans with $75-100m in contributions can secure $2m in coverage for approximately $17,000. Premiums can vary based on underwriting factors and the level of cyber security controls, but most cyber carriers are portfolio underwriting, except for the largest risks. Carriers are offering the coverage if minimum requirements are met, such as proof of (1) multi-factor authentication, (2) quality data backups, (3) email security controls, and (4) endpoint detection and response and other more sophisticated anti-virus software protections.
We do not see any single-employer plan sponsors seeking coverage for their plans that is separate from the corporate entity to reduce cost and increase the level of insurance protection. Taking the Amazon example, if there is a security breach of the Amazon cloud and the company’s sponsored employee benefit plans at the same time, the benefit plans would be sharing coverage limits with the corporate entity. That could be a serious problem for plan participants. We believe the best fiduciary practice is for the benefit plan committee of single-employer plans to purchase a dedicated cyber and crime insurance program to protect their participants. Companies purchase dedicated fiduciary and a fidelity bond for sponsored plans. It only makes sense to purchase cyber insurance to coordinate with fiduciary and crime insurance to protect sponsored plans. Most cyber events will have intersecting cyber, crime and fiduciary components, and all three coverages need to be coordinated.
Another key reason that plan sponsors need to secure dedicated cyber insurance for employee benefit plans is that some cyber policies contain an express exclusion for anything related to ERISA. This is obviously a problem for employee benefit plans, particularly with an increase in participant class actions alleging breach of fiduciary duty for cyber events. The recent class action lawsuit involving the cyber breach involving the Horizon actuarial firm is a good example.
In sum, when the lawyers on the seminar panel are opining that cyber coverage is too expensive, we believe they are referring to cyber coverage for the entire corporate entity that represents coverage for a whole range of potential threats that have nothing to do with employee benefit plans. By contrast, the cyber risk for employee benefit plans is less than the corporate entity for two key reasons. First, most plan assets are with a recordkeeper or bank custodian, and not with the corporate entity. Second, third-party service providers have their own cyber coverage as well. For these reasons, the cost of cyber coverage for benefit plans is less expensive than covering the corporate entity.
The Scope of Cyber Coverage is Very Broad
In addition to claiming that cyber coverage is unaffordable, the Groom lawyer is reported to have also “cautioned that [cyber] insurance coverage is very limited.” Specifically, he cautioned that “some insurance policies may only cover you if you require participants to change their passwords every 30 days, and can deny claims on the basis that a plan did not require it.” We try to follow the language of leading cyber carriers to ensure that our own cyber offering is competitive, and we know of no cyber policy that allows a carrier to disclaim coverage for failure to change passwords. Positive payment verification is very common to qualify for certain third-party crime coverages, like social engineering coverage, but we do not know of any password requirement for cyber coverage.
The truth is that the modern cyber insurance policy provides a remarkable breadth of coverage. For an in-depth explanation of cyber insurance for benefit plans, Euclid submitted testimony to the Department of Labor ERISA Advisory Committee. See here. Cyber insurance policies provide comprehensive coverage that help a policyholder respond effectively to a cyber breach, including forensic assistance, complying with regulatory notice requirements, and responding to cyber extortion demands, as well as defense and indemnity protection from regulatory and third-party lawsuits. Cyber carriers also provide valuable cybersecurity risk management services, including upfront and ongoing cyber alerts of potential threats to an insured’s systems. This scope of coverage is far from limited.
While the cyber insurance industry is still new and evolving and coverage is not uniform, a modern cyber insurance policy will provide five key coverage grants:
- Breach Response: This is the coverage necessary to manage, contain and respond to a cyber incident. It includes privacy breach notification services, computer and legal experts, including data forensics to determine whether a data breach has taken place, data restoration and digital data recovery, and public relations.
- Cyber Extortion/Ransomware: Coverage for the assistance and losses in responding to an extortion threat and demand for ransom against the insured’s computer system.
- Business Interruption/Reputational Harm/Loss: Reimbursement for the costs or extra expense stemming from a network interruption.
- Liability to Third Parties: Coverage to respond to regulators or claimants who allege they were injured by a data breach including network security and privacy liability; regulatory proceedings; regulatory fines and penalties; media liability and reputational harm; and PCI DSS Assessment Expenses related to the use of credit cards.
- Cyber Crime: Coverage for theft and property loss: including computer fraud, funds transfer fraud, and social engineering. Cybercrime is not always available in a cyber policy, and is usually sublimited when provided, but third-party crime coverages can also be purchased as part of a comprehensive crime insurance policy (beyond the normal first-party fidelity bond for employee theft).
Far from limited, the scope of cyber insurance covers both first-party (the insured’s own losses) and third-party claims (claims asserted by participants or regulators).
Finally, the lawyers on the cybercrime panel recommended that plan sponsors should consult their legal counsel “who can explain their insurance plan to them if they are unsure if it is a good value or not.” While lawyers may be able to opine on the scope of coverage, the best source for securing a quality cyber policy is by hiring an experienced insurance broker with expertise in cyber insurance for benefit plans. Experienced insurance brokers represent the interests of the policyholder and can compare policy coverages and premiums based on market experience.
The Euclid Perspective
The current way plan fiduciaries seek cyber and crime coverage needs to change. Plan sponsors of single-employer plans need to purchase dedicated cyber and third-party crime coverages for their sponsored plans. This coverage should not be shared with the corporate entity. Cyber insurance premiums are going up because of the increase in cybercrime, but employee benefit plans can still secure good coverage at reasonable premiums if they carve out the higher risks of the corporate entity.
Finally, cyber insurance is just one component of a comprehensive risk management plan. Cybersecurity best practices for employee benefit plans are best considered in three areas:
(1) a cyber-security program that includes data safeguards (technological solutions) and comprehensive training for all employees and plan fiduciaries;
(2) vendor-management and indemnification from third parties working with your plan; and
(3) an insurance backstop that includes high quality cyber, fiduciary and crime insurance issued directly to the employee benefit plan [and not shared with the sponsoring entity].