What Advisers Should Know About Cybersecurity Insurance
Art by Karlotta Freier
The need for retirement plan fiduciaries to carry cybersecurity insurance has grown in recent years, according to experts, as breaches and other digital incidents have increased dramatically since 2019.
In 2019, the cybersecurity insurance market was estimated to be worth $6 billion. By 2027 and beyond, the market is predicted to grow to $33 billion, according to Jay Gepfert, founding partner of Culpepper RFP and managing partner of DOL Cybersecurity LLC.
“Since 2019, the number of bad actors and the number of breaches and the size of those breaches have grown almost every single day,” Gepfert says. “It seems that there’s a major breach literally every single day now.”
Advisers working with plan sponsors should be aware of and considering cybersecurity insurance, if they do not have it already, Gepfert says. In the meantime, they should consider cybersecurity for their own practice and how they can assure plan sponsors they are practicing what they preach.
The State of Cybersecurity Insurance
James Cole, principal at Groom Law Group, agrees with Gepfert and says the dangers clearly impact the retirement plan industry.
“Over the last couple of years, there have been cases involving data breaches for benefit plans and benefit plan advisers, which should highlight the importance to plan sponsors and plan service providers that this is an exceedingly important area to pay attention to.”
The cost of cybersecurity insurance itself has also gone up dramatically, says Gepfert, with the rate rising at more than 20% per year in recent years. This year’s rate is now at a 10% to 15% increase from 2022.
“The manic increases in pricing and the rapidly ever-evolving underwriting questions seem to have, to some extent, levelled,” adds Cole. “But this is such a rapidly developing area, and the potential for claims is such that I would expect to see increased activity in both premium movement and underwriting requirements over the coming years.”
Gepfert, who owns two companies—DOL Cybersecurity, which assists plan sponsors in completing DOL cybersecurity assessment, and Culpeper RFP, which offers RFP evaluations for service providers—says cybersecurity plays a larger role for clients now—about 10 to 15% of their evaluation—than two years ago, when it was probably 5%.
Gepfert says plan advisers themselves are also seeing increased scrutiny from clients on advisers’ internal cybersecurity practices. He notes that plan sponsors are asking questions like, “Have you had any data breaches? What’s your employee training for cybersecurity? What’s your level of cybersecurity insurance?”
“Those are all questions that, three years ago, two years ago, probably very few are being asked,” he says. “Now it is a major piece when they’re being evaluated by plan sponsors.”
Advisers ‘Don’t Have … to be Experts’
Despite the increased focus on cybersecurity, Gepfert says plan advisers do not have to try to be experts in the field.
“I would go a different direction. The Department of Labor came out in 2021, and they published cyber guidelines for plan sponsors that are what they need to be doing either for their own company or for their service providers,” he says. “If you’re an adviser—and this is one of the questions I asked in my RFPs: ‘What are you advising your plan sponsors relative to the 2021 DOL guidelines?’—I think that’s the area where they can help them improve their cyber practices.”
Ali Khawar, the principal deputy assistant secretary for the DOL’s Employee Benefits Security Administration, also recognizes that, not all plan sponsors are going to have familiarity with cybersecurity issues.
“There’s not a provision of ERISA that I’m about to tell you that says, ‘You have to have your cybersecurity certification in order to sponsor.’ That is just not the case,” Khawar says. “But these are important obligations. … That set of best practices [addressing plan sponsors] is really aimed at helping them understand what the questions are that they can ask to give themselves some assurance that the service provider, the custodian or whatever institution that they’re working with is doing what they need to be doing.”
Groom’s Cole notes that the ERISA Advisory Council released reports regarding cybersecurity and employee and health benefits in 2022. The group, which advises the DOL, has been clear that fiduciaries must be very mindful of the protections, security and privacy of their data. Those fiduciaries need to pay attention not only to their own internal workings, but also to their service providers and how they are treating that data.
“I think that more and more retirement plans will likely seek cyber insurance, as most of them would be well served to consider [it],” says Cole. “I think that the desire to have more complete coverage for the insured and their demands on the insurers will result in more discussion over coverage language and more specificity as to what exactly is covered and what is not.”
These discussions may involve legally technical and scientifically technical issues, he says, which will require advisers to be more vigilant. Additionally, he foresees plan sponsors needing more protection from litigation risk.
“How will it come? Will it be ransomware? Will it be because participants have bad cyber hygiene? I think those are the areas of exposure that will lead to those questions,” says Cole. “I think that [advisers] should be aware of the increased demands or contractual arrangements with their clients. I think they should be aware of their cyber hygiene and their own protections from coverage through their cyber policy, as well as other policies that might apply.”
« DOL’s Khawar Says ‘Partnership’ Needed to Combat Cyber Risks