Experts say the need for retirement plan fiduciaries to purchase cybersecurity insurance has increased in recent years as data breaches and other digital incidents have increased dramatically since 2019.
In 2019, the cybersecurity insurance market was estimated to be worth $6 billion. According to Jay Gepfert, founding partner of Culpepper RFP and managing partner of DOL Cybersecurity LLC, the market is projected to grow to his $33 billion by 2027 and beyond.
“Since 2019, the number of bad actors, the number of breaches, and their scale have increased almost daily,” Goepfert said. “Right now, it seems like there are major breaches happening literally every day.”
Advisors working with plan sponsors should be aware of and consider cybersecurity insurance if they don’t already have it, Goepfert says. In the meantime, they should consider cybersecurity for their own practices and how to ensure plan sponsors that they are practicing what they preach.
Current state of cybersecurity insurance
James Cole, a principal at Groom Law Group, agreed with Goepfert and said the dangers are clearly impacting the retirement plan industry.
“In recent years, incidents involving data breaches of benefit plans and benefit plan advisors have highlighted that this is a very important area of attention for plan sponsors and plan service providers. It should be.”
The cost of cybersecurity insurance itself has also increased dramatically, with rates rising more than 20% annually in recent years, Goepfert says. This year’s tax rate will be raised by 10-15% starting in 2022.
“The crazy price increases and rapidly evolving underwriting issues appear to have leveled out to some degree,” Cole added. “However, this is a very rapidly evolving area and the potential for claims is very high, so we expect to see increased activity in both premium movements and underwriting requirements in the coming years. .”
Goepfert, who owns two companies, DOL Cybersecurity, which helps plan sponsors complete DOL cybersecurity assessments, and Culpeper RFP, which provides RFP assessments to service providers, believes cybersecurity is now playing a bigger role for customers. The company says that it accounts for about 10-15% of its valuation. — maybe he was 5% more than he was two years ago.
Goepfert said planning advisors themselves are seeing increased scrutiny from clients of advisors’ internal cybersecurity practices. He noted that plan sponsors are asking questions such as: What is your employee training on cybersecurity? What is your level of cybersecurity insurance?”
“These are all questions that probably weren’t being asked much three years ago, two years ago,” he says. “It is now an important piece of work that is valued by plan sponsors.”
Advisor: “You don’t need to be an expert”
Despite the increased focus on cybersecurity, planning advisors don’t need to try to become experts in the field, Goepfert says.
“I think I would go in a different direction. The Department of Labor came out in 2021 and issued cyber guidelines for plan sponsors, which is what you need to do for either your company or your service provider. ” he says. “If you’re an advisor, this is one of the questions I asked him in his RFP: ‘What advice is he giving plan sponsors regarding his DOL guidelines for 2021? ”Cyber Practices.”
Principal Ali Khawar Deputy DOL Assistant Secretary for Employee Benefits management, We also recognize that not all plan sponsors are well-versed in cybersecurity issues.
“There is no provision in ERISA that I’m going to talk about that says, ‘You have to have a cybersecurity certification to be a sponsor.’ That’s not the case,” Kawar says. “But these are important obligations. …That set of best practices [addressing plan sponsors] The real purpose of this service is to understand what questions a service provider, administrator, or collaborating agency can ask so that they can have some degree of confidence that they are doing what they are supposed to do. The goal is to help students understand what is good. ”
Groom Cole points out that the ERISA Advisory Committee has released a report. Regarding cyber security The group, which advises the DOL, makes clear that fiduciaries must pay close attention to data protection, security, and privacy. These fiduciaries need to pay attention not only to their own internal workings, but also to their service providers and how they handle their data.
“I think we will see more and more retirement plans requesting cyber insurance, as most retirement plans are worth considering. [it]” says Cole. “The desire for more complete coverage for insureds, and their demands on insurance companies, will lead to further discussion of coverage language and more specificity on what exactly is and is not covered. I think it will happen.”
These discussions could involve legal-technical and scientific-technical issues, which would require advisors to be more vigilant, he said. Additionally, he expects plan sponsors will need further protection from litigation risk.
“How does it come about? Is it going to be ransomware? Is it due to poor cyber hygiene on the part of the participants? I think those are the areas of exposure that lead to those questions,” Cole says. “I think so [advisers] You need to be aware of increased demand and contractual arrangements with your customers. I think they should be aware of their cyber hygiene and protecting themselves from coverage through cyber policies and other policies that may apply. ”