Plan sponsors seeking cyber insurance face climbing costs, find fewer options
Cybersecurity is an increasingly serious concern for most organizations—with ransomware, phishing, social engineering, and other types of cyberattacks rising at alarming rates in recent years. In particular, retirement plans are at risk from cyberattacks on plan data and/or participant assets. Defined contribution plan sponsors seeking to protect their plans from the costs of such attacks with both new and renewed cyber liability insurance have seen a sharp uptick in premium costs. Moreover, insurers are more reluctant to offer such policies, and those that do are demanding that plan sponsors meet more stringent criteria.
What you should know
Many defined contribution plans remain uninsured despite the rising risk of cyberattacks, with a recent survey finding 29% of DC plan sponsors report that their plan does not have cyber insurance1.
Cyber insurance coverage can be cost-prohibitive for some plan sponsors. This is especially challenging for sponsors of smaller organizations with limited budgets.
Rising cyber insurance costs are frequently blamed on greater insurance payouts due to the proliferation of ransomware attacks, but some believe that year-over-year policy price increases represent a correction in valuation of historically underpriced cyber insurance policies.
Cyber insurance policies providing coverage for an employer’s entire organization rather than directly for the retirement plan itself can include gaps in coverage of retirement plan funds. A report from the Government Accountability Office (GAO) said that cyber insurance policies “generally do not replace funds stolen from participants’ accounts” and frequently have provisions, such as caps on payouts or exclusions for certain types of attacks, which limit the amount of coverage for a cyberattack.”
With demand for cyber insurance outpacing supply, insurance carriers are increasingly requiring plan sponsors to have best-in-class cybersecurity practices in place before writing new policies or renewing existing ones. Those include the following:
- Multifactor identification
- Endpoint detection and response technology
- Employee security training programs
The Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor (DOL) recently released guidance on cybersecurity tips and best practices directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974 (ERISA) and at plan participants and beneficiaries. See DOL Provides Cybersecurity Guidance.
The DOL has since begun an audit initiative focusing on retirement plan cybersecurity practices. Plan sponsors and fiduciaries should act now to enhance their internal cybersecurity practices for their benefit plans, confirm the practices of plan service providers, and educate ERISA plan participants about the importance of strong individual cybersecurity practices. See DOL Commences Cybersecurity Audits.
Let's Talk
Our solutions can be tailored to meet your unique needs.