Practice Management October 1, 2023

What Advisers Should Know About Cybersecurity Insurance

Experts provide insight into an insurance market predicted to grow from $6 billion to $33 billion in coming years.

Reported by

Art by Karlotta Freier

The need for retirement plan fiduciaries to carry cybersecurity insurance has grown in recent years, according to experts, as breaches and other digital incidents have increased dramatically since 2019.

In 2019, the cybersecurity insurance market was estimated to be worth $6 billion. By 2027 and beyond, the market is predicted to grow to $33 billion, according to Jay Gepfert, founding partner of Culpepper RFP and managing partner of DOL Cybersecurity LLC.

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters. 

“Since 2019, the number of bad actors and the number of breaches and the size of those breaches have grown almost every single day,” Gepfert says. “It seems that there’s a major breach literally every single day now.”

Advisers working with plan sponsors should be aware of and considering cybersecurity insurance, if they do not have it already, Gepfert says. In the meantime, they should consider cybersecurity for their own practice and how they can assure plan sponsors they are practicing what they preach.

The State of Cybersecurity Insurance

James Cole, principal at Groom Law Group, agrees with Gepfert and says the dangers clearly impact the retirement plan industry.

“Over the last couple of years, there have been cases involving data breaches for benefit plans and benefit plan advisers, which should highlight the importance to plan sponsors and plan service providers that this is an exceedingly important area to pay attention to.”

The cost of cybersecurity insurance itself has also gone up dramatically, says Gepfert, with the rate rising at more than 20% per year in recent years. This year’s rate is now at a 10% to 15% increase from 2022.

“The manic increases in pricing and the rapidly ever-evolving underwriting questions seem to have, to some extent, levelled,” adds Cole. “But this is such a rapidly developing area, and the potential for claims is such that I would expect to see increased activity in both premium movement and underwriting requirements over the coming years.”

Gepfert, who owns two companies—DOL Cybersecurity, which assists plan sponsors in completing DOL cybersecurity assessment, and Culpeper RFP, which offers RFP evaluations for service providers—says cybersecurity plays a larger role for clients now—about 10 to 15% of their evaluation—than two years ago, when it was probably 5%.

Gepfert says plan advisers themselves are also seeing increased scrutiny from clients on advisers’ internal cybersecurity practices. He notes that plan sponsors are asking questions like, “Have you had any data breaches? What’s your employee training for cybersecurity? What’s your level of cybersecurity insurance?”

“Those are all questions that, three years ago, two years ago, probably very few are being asked,” he says. “Now it is a major piece when they’re being evaluated by plan sponsors.”

Advisers ‘Don’t Have … to be Experts’

Despite the increased focus on cybersecurity, Gepfert says plan advisers do not have to try to be experts in the field.

“I would go a different direction. The Department of Labor came out in 2021, and they published cyber guidelines for plan sponsors that are what they need to be doing either for their own company or for their service providers,” he says. “If you’re an adviser—and this is one of the questions I asked in my RFPs: ‘What are you advising your plan sponsors relative to the 2021 DOL guidelines?’—I think that’s the area where they can help them improve their cyber practices.”

Ali Khawar, the principal deputy assistant secretary for the DOL’s Employee Benefits Security Administration, also recognizes that, not all plan sponsors are going to have familiarity with cybersecurity issues.

“There’s not a provision of ERISA that I’m about to tell you that says, ‘You have to have your cybersecurity certification in order to sponsor.’ That is just not the case,” Khawar says. “But these are important obligations. … That set of best practices [addressing plan sponsors] is really aimed at helping them understand what the questions are that they can ask to give themselves some assurance that the service provider, the custodian or whatever institution that they’re working with is doing what they need to be doing.”

Groom’s Cole notes that the ERISA Advisory Council released reports regarding cybersecurity and employee and health benefits in 2022. The group, which advises the DOL, has been clear that fiduciaries must be very mindful of the protections, security and privacy of their data. Those fiduciaries need to pay attention not only to their own internal workings, but also to their service providers and how they are treating that data.

“I think that more and more retirement plans will likely seek cyber insurance, as most of them would be well served to consider [it],” says Cole. “I think that the desire to have more complete coverage for the insured and their demands on the insurers will result in more discussion over coverage language and more specificity as to what exactly is covered and what is not.”

These discussions may involve legally technical and scientifically technical issues, he says, which will require advisers to be more vigilant. Additionally, he foresees plan sponsors needing more protection from litigation risk.

“How will it come? Will it be ransomware? Will it be because participants have bad cyber hygiene? I think those are the areas of exposure that will lead to those questions,” says Cole. “I think that [advisers] should be aware of the increased demands or contractual arrangements with their clients. I think they should be aware of their cyber hygiene and their own protections from coverage through their cyber policy, as well as other policies that might apply.”

You Might Also Like:

Compliance

March 25th, 2025

Voluntary Fiduciary Correction Program Improvements Take Effect

The Employee Benefits Security Administration’s updated self-correction tool launched this week.

Compliance

March 17th, 2025

JPMorgan Sued Over Health Plan’s Generic Drug Costs

The defendants claim the company breached its ERISA fiduciary duty by putting business interests ahead of the plan and its...

Compliance

March 10th, 2025

Chavez-DeRemer Confirmed as Secretary of Labor

The full Senate vote came after President Donald Trump’s pick to head the Department of Labor was cleared by the...

Compliance October 1, 2023

DOL’s Khawar Says ‘Partnership’ Needed to Combat Cyber Risks

The principal deputy assistant secretary for EBSA discusses how plan fiduciaries have been using DOL best practice guidance, and why health care may be next.

Reported by

Alex Ortolani

Art by Karlotta Freier

The U.S. Department of Labor issued cybersecurity guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants back in April 2021. It was the first time the DOL’s Employee Benefits Security Administration had issued a notice on cybersecurity, and it has since become an industry standard.

The five-page best practices document is a relatively straightforward and practical guide for protecting American’s more than $9 trillion in retirement assets. But as a recent breach of plan-related data that exposed participant information showed, the guidance remains crucial in a fast-evolving criminal industry targeting personal information.

For more stories like this, sign up for the PLANADVISERdash daily newsletter. 

The guidance was not designed to target any single group within the large ecosystem of employer retirement plan services, but to remind everyone involved that they have a role to play, says Ali Khawar, the principal deputy assistant secretary for the DOL’s Employee Benefits Security Administration.

“We know of situations where everyone is looking at each other and saying, ‘Well, why didn’t they do more?’ And everyone’s kind of pointing the figure at each other,” he says. “I think everybody knows how those situations go: They happen. That was what we wanted to avoid.”

Khawar recently spoke with PLANADVISER about developments and EBSA focus areas for cybersecurity. The interview was edited for length.

PLANADVISER: EBSA’s cybersecurity guidance has now been in use for more than two years. How has the response been, and what has developed from it?

KHAWAR: A big part of the impetus [in issuing the guidance] was just making sure that everyone understands that when it comes to these issues, that it’s not solely the private sector’s responsibility, but everyone has an important role to play.

We recognize that, depending on the plan sponsor, not all of them are going to have familiarity with cybersecurity issues. There’s not a provision of ERISA that I’m about to tell you that says, ‘You have to have your cybersecurity certification in order to sponsor.’ That is just not the case. But these are important obligations. … That set of best practices [addressing plan sponsors] is really aimed at helping them understand what the questions are that they can ask to give themselves some assurance that the service provider, the custodian or whatever institution they’re working with is doing what they need to be doing.

Even though it’s fair to say that not every stakeholder has a ticker-tape parade when we issue guidance, I think it’s fair to say that it has generally been well received. … It’s kind of helpful to have the government there; but it’s something that I view as a bit more of a partnership than a lot of other issues that we work on.

PLANADVISER: Can you tell me how this has played out on the ground? Has there been more cybersecurity auditing by the DOL or other regulators?

KHAWAR: On a routine basis, when we’re looking at retirement plans, folks should expect that we’re going to be asking some questions about cybersecurity. That doesn’t make every investigation a detailed cybersecurity investigation. But we might ask someone to describe the process by which they hire a service provider or how they’re monitoring their service provider. … That doesn’t necessarily mean we’re pointing to the best practices and asking, ‘Have you done A, B, C and D?’ Because we issued them as best practices, if that’s what you’re doing and you’ve done the kinds of things that are highlighted in there, you’re probably thinking about things the right way, and from our standpoint, have probably satisfied your obligations.

Though it’s very important to stress that: In the same way that you can have a prudent investment process and still lose money on the [investment] you select at the end, you can have a robust cybersecurity process and still have a breach. This isn’t about having something that is impenetrable. Obviously, if someone has that, perfect. But we are at the stage right now where we are making sure that there’s no sloppy mistakes, right? If there’s a known vulnerability, it’s making sure [a plan sponsor is] not waiting weeks or months or years to address the issue.

PLANADVISER: Advisers will often ask how it’s possible for mid- or smaller-tier plan sponsors to manage best practices around cybersecurity—or a number of other retirement compliance areas, for that matter. What would you say to those fiduciaries or firms that are smaller and juggling many items at once?

KHAWAR: One point of our elevating and highlighting these things is to make sure that [small plan sponsors] are paying attention to it. The part we’re focused on is the employee benefit plan. But it’s also true that it redounds to the benefit of their business as well, because their business may also be subject to a ransomware attack, in particular. The fact that they are paying more attention to cybersecurity is not exclusively a good thing from an ERISA perspective.

Part of what we have done is to make it easy for them. That is, when you think of the kind of thing we’re talking about in our tips and our best practices, the goal is not, ‘Do you know what SOCKS is?’ There’s not a quiz. … It comes back to the same context that you have for a lot of fiduciary interactions: It’s a question of, ‘Are you the educated kind of student consumer?’, so to speak. In the same way that if you were using any other service for your business, you would ask questions.

One thing that I’ve heard, including from the small business universe, is that they have literally printed out those best practices and said, ‘OK, we’re in the process of hiring a service provider, please fill this out. And then just give me a written answer.’ It’s a pretty simple way that people can do it, and they don’t have to have a high level of expertise.

PLANADVISER: There was a major breach that hit the retirement plan space recently, and there will likely be more in the future. What do those larger cases do, generally, for your focus and view of cybersecurity needs?

KHAWAR: We were just talking about small employers. But this is not limited to the small employer universe. There are large institutions that I think have benefited from paying more attention to their cybersecurity practices. … One of the questions I think you can always ask yourself when it happens is, ‘What parts of it were preventable?’ and thinking about it—and this is especially true for the service providers—both on a prospective and retrospective basis.

It’s important to approach some of these issues with an open-mindedness. The priority really shouldn’t be, ‘How can we make sure to tell everyone that our process is perfect?’ But if you’re holding ERISA money, the primary job you have is to keep that money safe. If your focus is on justifying after the fact something that maybe was a mistake, instead of fixing the mistake, that’s not where we want people to be.

The criminal element is always evolving. That phenomenon is kind of on steroids when it comes to cybersecurity. The thing that someone did 10 years ago is not the cutting-edge thing of tomorrow. … You really need to have a mindset that [criminal activity] is open to evolution, and taking that critical eye to it is one of the important things.

PLANADVISER: Do you plan to issue more guidance in the future?

KHAWAR: When we issued our best practices in April of ‘21, it was framed very much in the retirement plan context. At the time, we wanted to make sure that we had thought through whether there were distinctions between retirement plans and other plans—health plans—but also other welfare plans that are covered by ERISA. We didn’t think anything in the guidance conflicted with what our obligations would be. But the question was, given when you’re talking about health data, for example, there’s other federal privacy requirements. … To what extent do those add on extra things that we might want to highlight?

We asked our ERISA Advisory Council to look at that question. Their conclusion was that while there may be additional requirements that are imposed on fiduciaries of health plans, that … the [cybersecurity] best practices are just as applicable.

One of the things that more recently I’ve started hearing is that because even though we have subsequently said, ‘If you’re complying with it in the context of a retirement plan or a health plan or any other plan, you’re in good shape.’ Right? These are principles that you should be taking seriously. But when some sponsors have asked their service providers kind of the same questions in the context of a health plan and pointed to the Department of Labor [issuance], the answer that they’ve been given is, ‘Well, that’s just about retirement plans.’

That’s something that we’re looking at how we can best address. I think there will be something coming out at some point on that to, again, give something that people can look at in writing and point to.