The Right Protection
What if a plan fiduciary steals from the retirement plan? What if someone makes an unwise investment choice and an unhappy participant sues the plan?
The first, most basic level of protection for retirement plan sponsors and retirement plan advisers is the ERISA bond, mandated by the Employee Retirement Income Security Act (ERISA) under Section 412. This coverage is designed to protect the plan against losses stemming from acts of fraud or dishonesty by anyone whose position gives him direct contact with plan assets.
All plan sponsors must ensure the plan’s fiduciaries are bonded, but most plan advisers do not need to be unless they are fiduciary investment managers with discretion over the plan’s funds, says Jason Roberts, founder and chief executive of Pension Resource Institute in Manhattan Beach, California.
The coverage is inexpensive, says Harris Tsangaris, managing director of NFP Property & Casualty in New York City, and starts at $750 per year for plans with $1 million in assets—the larger the assets and the number of employees, the larger the premium.
Advisers who do require bonding will need a separate bond for each plan they handle, says Tom Schrandt, vice president of Lockton Affinity, a provider of group insurance in Philadelphia. Schrandt recommends advisers work with a carrier that can aggregate the plans on a single bond with an automatic coverage provision to include any additional plans that come aboard during the year.
However, that affordable premium brings little protection: Schrandt points out that the ERISA bond covers 10% of a plan’s assets, capped at $500,000. While Department of Labor (DOL) regulations do not require additional coverage, they do mention and recommend fiduciary insurance to cover a breach of fiduciary responsibility at the plan sponsor level.
Protecting Fiduciaries’ Assets
Roberts calls the fiduciary liability policy extremely
valuable. “Even if an adviser is trying to do everything right,” he says, “every
plan should look into having that nice cushion between personal assets and the
DOL or a plaintiff’s firm. Plan advisers should recommend this to their plan
sponsor clients.”
One key provision in a fiduciary liability policy is advance of defense costs, according to Philip J. Koehler, chief executive of ERISA Fiduciary Administrators in Newport Beach, California. He warns that plan sponsors and advisers should both guard against policies that say, in effect, if a case holds the insured liable because of malfeasance rather than negligence, the costs are not covered. “The policy should have a provision that will pay for a lawyer up to and including the trial,” Koehler stresses.
Roberts, who is also a partner at Retirement Law Group in Redondo Beach, recalls a panicked call from a plan sponsor client in the midst of a DOL investigation. The plan’s fiduciaries were going to have to pay half a million dollars from their own retirement accounts to reimburse the plan for losses due to real estate investments. “We found this particular plan had fiduciary liability insurance,” Roberts says, “and it covered our [attorney] fees.”
The DOL also allowed the plan to unwind a certain transaction, he adds, and though other investments could not be unwound, Roberts’s firm was able to negotiate with the DOL and achieve a much better solution and a minimal penalty.
Protecting Data
Along with liability associated with malfeasance, fraud or
negligence, another gaping hole that both plan sponsors and plan advisers need
to be aware of is network security risk and the potential for a breach.
“Breaches occur every day, and the increase in activity is a growing concern
for all companies,” Tsangaris points out.
When insurance policies for cyber security first appeared, they were generally misunderstood, expensive and hard to get, Schrandt notes. The industry has evolved to acknowledge this exposure, however, and annual premiums have dropped as a result, with as little as $300 covering as much as $1 million in damages.
Cyber liability is best used when it is coordinated with errors and omissions (E&O) insurance, Schrandt advises. An investment professional should also ask whether the policy covers acting on fraudulent instruction and wire fraud, two common exclusions on standard liability policies.
When a hacker gains unauthorized access to personal data—Social Security numbers, names, dates of birth—the breach can trigger notification costs, depending on the state, Tsangaris says. The company’s obligations to notify participants of the breach are state-driven.
Schrandt observes that Massachusetts has especially rigorous provisions in its data security laws, but nearly all states have requirements that specify time limits to notify affected individuals and to provide credit counseling. “If you have a client base in different states, it can be a full-time job to figure out what’s needed,” he says. “A standalone policy would have the resources to figure out what obligations are required.”
Business interruptions are another exposure that can be addressed by a cyber liability policy: In cases of cyber extortion, Tsangaris explains, a hacker gains access to and locks the victim’s computer. A message appears saying that all the computer’s files are encrypted and directing the user to a Web address to pay a sum of money.
Schrandt warns that the insurance carrier that wants to fix everything with an endorsement—which is a special provision added to a policy to enhance or restrict coverage—may not, in fact, have the actual coverage to address the problem. Most riders are simply too narrow, he says, and will not be comprehensive enough to cover all the inflections of cyber exposure. (See sidebar.)
Protecting the Practice
E&O coverage is of particular concern for plan advisers,
Roberts says. This critical form of insurance guards against mistakes in
business practice—yet, he warns, off-the-shelf versions typically exclude the
insured party from serving as a named fiduciary to a retirement plan. On more
than one occasion, he says, an insurance company, when it suspected mass
litigation brewing, simply said the covered party was acting outside the limits
of the policy.
“‘Named fiduciary’ is an ERISA term,” Roberts says, “and as 408(b)(2) requires the express acknowledgement that someone is serving as a fiduciary, we might see some pushback.” For now, many policies exclude ERISA fiduciary services entirely or do not cover investment advice, he says. He offers the example of a firm with 14,000 representatives and one $50 million policy. “All the registered reps fall under that group master policy,” he says. “The way it’s written will either cover ERISA professional services or exclude them. So it’s critical to make sure the E&O insurance covers them.”
According to Roberts, ensuring adequate coverage has three parts: Advisers need to verify they are, in fact, covered; to understand the extent of that coverage in terms of ERISA fiduciary services; and to be comfortable with the policy limits, both in terms of individual claims and in the aggregate.
“It’s becoming more common for plan sponsors to ask the plan adviser to demonstrate his own coverage under his own E&O,” Schrandt says.
Roberts recommends advisers “get a quote for affirmative coverage for services you’re providing. If they say it’s in there, get an express description in writing of the coverage,” he suggests. “It’s an increasingly complex, evolving area of the law, and advisers are on the front lines, scrutinized by regulators and their own firms.”
Cyber Exposure
Protection against cyber exposure is a type of coverage that is wildly misunderstood, says Tom Schrandt, of Lockton Affinity. He is vehement that using endorsements—or special provisions added to a policy to enhance or restrict coverage—is not the right way to address this risk. Errors and omissions (E&O) covers the adviser’s own professional services, he notes, while cyber liability protects against a breach of clients’ personal information that may or may not be triggered during the professional service.
“[Cyber security] is not the same type of exposure, and it’s not going to trigger the E&O coverage,” Schrandt explains. “If your server is breached, that is not a result of your professional service.” He warns that the insurance carrier that wants to fix everything with an endorsement, or rider, is not taking the right approach. According to Schrandt, most riders are simply too narrow and do not cover all the aspects of cyber breaches.
He cites the example of a small professional services office that performed billing and other tasks involving a client’s funds. A staffer who was working with the client’s banking profile suddenly received an email that appeared to be from Intuit, the software provider. The staffer opened the email.
The message was part of a phishing scam; all subsequent keystrokes by the staffer were captured. Within 20 minutes, $85,000 was gone from the client’s bank account and wired overseas.
During interviews with the FBI, the employee showed the email and explained her actions. Since the email appeared to be legitimate, the FBI said in a deposition that the staffer had done nothing wrong—which meant that, under the terms of her firm’s E&O coverage, the claim was denied.
For the same price as a bolt-on endorsement, a dedicated cyber liability solution should be used to protect against the costs of online risks, Schrandt advises.