Are Your Clients Insured Against Cyber Threats?

In the unfortunate case of a participant’s retirement account data being breached, speakers on a panel at the PLANSPONSOR National Conference in Orlando, Florida, said it is critical that plan sponsors have the proper insurance and cybersecurity practices in place to avoid lawsuits and catastrophic results.

Daniel Aronowitz, managing principal at Euclid Fiduciary, said at the “Are You inSUREd?” panel that plan sponsors need to have safeguards like multi-factor identification and regular information back-up in place, as well as setting up an indemnification with their recordkeeper in the case of a digital threat.

What Plan Sponsors Should Keep in Mind

Aronowitz said plan sponsors need to make sure they have indemnification in place not only with their recordkeepers, but with every third party involved in their plan and anyone who handling money in retirement accounts.

Indemnification clauses are promises by service providers stipulating that if they do something wrong which causes harm to the plan or causes a third party to sue the plan sponsor, the service provider will cover their legal costs.

On top of that, Aronowitz said every plan sponsor, third party and plan adviser should make sure it has fiduciary insurance, as well as cyber insurance and crime insurance.

Robert Massa, managing director and Houston operations retirement practice leader at Qualified Plan Advisers, said his firm sends an RFP specifically dedicated to cybersecurity practices to plan sponsor clients, with the intent it be sent to their recordkeepers.

“Some of the big recordkeepers share data together about cyber hacks,” Massa said. “This is a place where they’ve all agreed that they’re all at risk, and it doesn’t benefit any one of them to allow the other one to get hacked. … I think that’s a great step in the right direction.”

Massa added that the smaller the recordkeeper is, the higher the risk of a breach, because it is most likely more financially constrained and more likely to outsource cybersecurity to other service providers. Smaller recordkeepers also may not be able to afford as expensive an insurance policy as larger recordkeepers can.

Even if a plan sponsor and their recordkeeper have “airtight” cybersecurity, Massa said it is important to educate employees on cyber-risk and “break it down to the human level.”

If a participant’s personal email gets hacked, for example, Massa said there is the possibility that the breach could snowball. The plan sponsor may not be at fault in this situation, but Massa said it could result in a lawsuit against the plan anyway.

Aronowitz predicted there will be more lawsuits filed over cybersecurity issues in the future. As one example, he cited a December 2022 lawsuit against Colgate in which a participant in the company’s defined contribution plan alleged breach of fiduciary duty claims against the plan recordkeeper and plan fiduciary committee, but not the bank custodian.

Aronowitz said these cases typically come down to whether the plan sponsor breached its fiduciary duty by not properly monitoring its recordkeeper or choosing the best recordkeeper.

Importance of Fiduciary Insurance

“When I think of fiduciary insurance, it’s malpractice insurance,” Aronowitz said. “Doctors need malpractice insurance, lawyers need malpractice insurance [and] fiduciaries of retirement plans need malpractice insurance.”

Aronowitz explained that fiduciary insurance protects the plan sponsor against claims it was negligent or committed “malpractice.”

“Essentially, a breach of fiduciary duty claim is a claim that you messed up,” Aronowitz said.

As many plan sponsors experience high premiums for insurance, Massa added that if plan sponsors have their fiduciary process in place and do the proper documentation and due diligence, they will likely see those premiums become more reasonable.