Managing your plan’s cyber liability insurance

Why consider cyber insurance?

You may be wondering if you even need cyber insurance for your 401(k) plan. Couldn’t you simply add a rider to your existing business insurance policy instead? Although you’d have to confirm with your provider, many general liability policies exclude cyber events. Additionally, the risks associated with cybercrimes have many nuances, which may make cyber insurance a better approach for your plan. Think of it as having the right tool for the job.

Depending on your insurer and the terms of your coverage, cybersecurity insurance can help you:

• Cover legal fees related to a cyber event, such as a data breach
• Notify affected participants and other parties involved with the plan
• Recover plan assets and compromised data 
• Repair damaged computer systems
• Provide credit monitoring and identity theft assistance for affected participants

What’s driving up the cost of cyber liability insurance?

Whether you already have cyber insurance or are considering it, you should plan on paying more for this coverage. The daily onslaught of cyberattacks is prompting insurers to reevaluate their pricing models.

• 73% of surveyed companies said they had experienced a cyberattack, with phishing, ransomware, and privacy breaches being among the most common._¹

• Cyber insurance pricing increased an average of 96% year over year in the third quarter of 2021.²

What factors do insurers look at during the underwriting process?

All insurance, including cybersecurity insurance, is about managing risk and, as noted above, the risk of a cyber event is significant: It’s no longer if an event will occur but when. For this reason, insurers are scrutinizing plan sponsors’ cybersecurity strategies during the underwriting process. The results of this scrutiny often affect what the policy covers, coverage limits, deductibles, and premiums. So what can you do to help portray your plan in the best light? Consider putting proper controls² in place to help reduce your cyber risk exposure.

• A documented cybersecurity plan—The plan should include roles and responsibilities and a description of your security measures, monitoring process, and response strategy.
• Multifactor authentication—Often referred to as two-factor authentication, it requires users to verify their identity at least two different ways before granting access to the plan or participant accounts.  
• Privileged access management—The people involved with the day-to-day operation of your plan should only have access to the information they need to perform their jobs, nothing more.
• Email filtering and web security—These filters help block malicious emails and attachments and inappropriate websites to help prevent the spread of malware.
• Cybersecurity training—Your benefits team and employees are the first line of defense, so it’s vital they understand cybersecurity best practices. This year, 82% of incidents involved the human element.³
• A process for monitoring plan providers’ protocols—Your computer systems and website aren’t the only way cyber hackers can access sensitive plan and participant data. Your financial professional, recordkeeper, and third-party administrator also have this data to varying degrees. That’s why it’s important to regularly review the measures they’ve put in place to help protect it.
• Secured, encrypted, and tested backups—In the event of a ransomware attack, a backup can help you recover data and avoid paying the ransom demand.

Ransomware climbed an unprecedented 105% globally in 2021.⁴

These are a just some of the measures insurers may look for—there are many others. Ultimately, they want to feel confident that you’re taking the necessary steps to mitigate the risk of cyberattacks. You should work closely with your IT team (or consultant) to determine the appropriate measures for your plan and then shop around to find an insurer who will provide the coverage you want at a reasonable price.

Cyber liability insurance—a worthy investment to consider     

Despite all the steps you take to protect your plan and participants, you may still fall victim to a cyber event. The tactics are becoming more sophisticated, and no cybersecurity plan is foolproof. Investing in cybersecurity insurance can help mitigate the impact of an attack and aid in the recovery process. The higher premiums may be a small price to pay for this added layer of protection.

1 “The state of cyber resilience,” marsh.com, May 2022. Results are based on responses from the 2022 Marsh and Microsoft Cyber Risk Survey. 2 “Cyber Insurance Market Overview: Fourth Quarter 2021,” marsh.com, February 2022. 3 “2022 Verizon Data Breach Investigations Report,” Verizon, 2022. 4 “2022 SonicWall cyber threat report,” sonicwall.com, February 2022.