When determining a comprehensive approach to cybersecurity, plan sponsors should keep in mind that ERISA’s standard of care stipulates that fiduciaries must always act in the best interests of participants and beneficiaries. Obtaining cyber liability insurance should be just one element of a comprehensive cybersecurity risk management program and reviewing cybersecurity as it relates to your retirement plan and third-party vendors should be an ongoing part of plan administration.
ERISA requires that plan sponsors obtain a fidelity bond to protect the plan from losses due to fraud or dishonesty (e.g., theft), but this bond will not cover a cyber-related event unless it specifically includes crime coverage, and even then the coverage will likely be insufficient. Another type of insurance, fiduciary liability insurance, while not required by ERISA, insures fiduciaries, and in some cases the plan, against losses caused by a breach of fiduciary responsibilities. Fiduciary liability insurance may only have limited coverage for cyber-related events so fiduciaries should inquire with their insurance provider as to the coverage levels.
In recent years, many companies started maintaining cybersecurity insurance for their business, but fiduciaries should exercise caution here and have a clear understanding of whether, and the extent to which, the retirement plan may be covered under these policies. A separate cyber liability insurance policy can provide the most comprehensive protection for data breaches and claims from participants and other third parties. It can help a policyholder respond effectively to a cyber breach and provide other risk management services such as forensic assistance and complying with regulatory requirements. Often, the biggest expense comes from the investigation and research of the event, not the damages to the plan and participants themselves. It can also ensure dedicated limits for the sponsored plan.
However, it should be noted that cybersecurity insurance does not protect against all cyber risks and often includes exclusions or insufficient coverage for certain circumstances. The takeaway here is that it is critical to know the depth of coverage the policy provides and perhaps most importantly, what it doesn’t cover. These policies are relatively new and are not standardized in the marketplace, so plan sponsors should work with an experienced insurance broker/advisor for guidance when evaluating their insurance needs. An ERISA attorney specializing in cyber issues would be a good resource for building a cybersecurity policy specific to the plan and working with an IT firm can also provide valuable assistance in building out an over-arching cybersecurity policy, which would incorporate the needs of the retirement plan.