ERISA Advisory Council delivers download on cyber insurance 

May 8, 2023

A recent ERISA Advisory Council report explores how employee benefit plans can insure against cybersecurity risks. After hearing from a variety of witnesses — including insurance companies, brokers and consultants — the council determined that many plan fiduciaries lack a full understanding of cybersecurity insurance, which typically doesn’t cover theft of plan assets. The council recommended that the Department of Labor (DOL) further study cybersecurity threats and loss mitigation strategies — including the variety of different insurance coverages needed to cover all aspects of potential cybersecurity risks — and develop educational resources for plan fiduciaries.

Cybersecurity incidents involving employee benefit plans have garnered increased attention in recent years. These incidents have involved breaches of personally identifiable information (PII) and outright theft of defined contribution (DC) plan participants’ account balances.

In 2021, DOL issued informal three-part guidance on cybersecurity best practices for retirement plan sponsors, fiduciaries, recordkeepers and participants. The guidance stated DOL’s view that ERISA requires fiduciaries to take appropriate precautions to manage cybersecurity risks to retirement plan assets and PII. While DOL didn’t suggest that fiduciaries must maintain cybersecurity insurance, the agency recommended that fiduciaries outsourcing plan administrative services determine whether the service provider has insurance for losses caused by cybersecurity breaches. In addition, DOL advised that fiduciaries should be wary of contractual provisions limiting the service provider’s liability for cybersecurity breaches.

DOL has also ramped up related enforcement efforts, launching a high-profile investigation of a DC plan recordkeeper for alleged cybersecurity breaches (Walsh v. Alight Solutions, No. 21-3290 (7th Cir. Aug. 12, 2022)). In addition, the agency has been including questions about cybersecurity practices and oversight in routine audits of employee benefit plans.

Recognizing the ever-changing nature of cybersecurity threats and the evolving market for related insurance products, the council recommended that DOL further study cybersecurity insurance and other strategies for mitigating cybersecurity risk. After that study, the council believes DOL should develop additional educational resources for plan fiduciaries and others.

The council said DOL’s study should go beyond cybersecurity insurance to consider other types of insurance products, as well as contractual indemnities from plan service providers. The council noted that many considerations are relevant to understanding how these kinds of protections relate to employee benefit plans, including:

• How relevant insurance products are evolving
• Whether retirement and welfare benefit plans face different considerations
• Who (i.e., the plan or a third party) bears responsibility for losses
• How the probability of cybersecurity incidents correlates with the size of the plan or related organization
• What types of claims result from cybersecurity incidents

The council recommended that educational materials address the principal types of cybersecurity threats facing employee benefit plans. In addition, those materials should provide information about key aspects of insurance coverages available to protect against cyber losses, such as:

• Scope of cybersecurity insurance vs. other coverage. Cybersecurity insurance typically covers losses associated with the breach of PII, such as the costs of notifications to affected individuals, credit monitoring, forensic and legal services, and remediation. However, such coverage generally doesn’t extend to the theft or loss of plan assets. Plan fiduciaries seeking to cover those losses usually would need to obtain separate fidelity or crime policies. Insuring against all potential cybersecurity risks may require fiduciaries to maintain a bundle of different insurance policies, as well as contractual indemnification from service providers.
• Role of cybersecurity practices in obtaining coverage. Insurance companies often look at an organization’s “cyber hygiene” when underwriting and pricing coverage. Witnesses noted variation among insurers in weighting particular cybersecurity controls but indicated that multifactor authentication (MFA) for remote systems access is essential.
• Other features of insurance policies. Insurance policies often have deductibles, coverage limits and exclusions. For example, cybersecurity insurance may exclude coverage for ERISA violations. Plan officials should be aware of such exclusions to determine whether to obtain separate fiduciary liability coverage. The council noted that fiduciaries should also fully understand the identity of the named insured, as well as whether coverage is limited to first-party losses (i.e., those incurred by the named insured) or provides coverage of third-party losses (i.e., those incurred by someone other than the named insured, such as plan participants).

The council discussed — but reached no formal conclusion on — whether cybersecurity insurance premiums can be paid with plan assets. While suggesting that fiduciaries could determine such expenses are reasonable and necessary to protect the plan from potential harm, the council cautioned that fiduciaries shouldn’t use plan assets to subsidize the cost of coverage for insureds other than the plan and its participants.

The council made no specific recommendations on what one witness called “blameless” incidents. This would encompass situations where bad actors are able to withdraw a DC participant’s retirement savings using PII obtained elsewhere through no fault of plan fiduciaries or service providers. In such cases, liability insurance coverage maintained by plan fiduciaries and service providers likely wouldn’t cover the associated losses since the policyholders aren’t at fault. One witness stressed that loss of participant assets in these circumstances is “an important and larger social issue in need of a broader policy solution.”

• Cybersecurity insurance and employee benefit plans (ERISA Advisory Council, December 2022)

• 7th Circuit affirms DOL’s authority to investigate ERISA plan cybersecurity (Sept. 13, 2022)
• DOL issues cybersecurity guidance for retirement plans (April 26, 2021)