Cybersecurity Insurance Considerations

The risk of companies being hit by a cyberattack has increased substantially since 2019, according to research from the International Monetary Fund. Within that grouping, financial services firms are particularly vulnerable.

Most plan sponsors, responsible for large sums of participant assets, will likely be very aware of the threat of breaches. Many receive regular updates from advisers and service providers. Some may have, or be considering, cybersecurity insurance to help cover any costs, should a breach occur.

But while cybersecurity experts may preach the value of insurance, plan sponsors and their advisers are often choosing between a variety of plan-related costs.

To help explain cybersecurity insurance for plan fiduciaries, we turned to Steve Taylor, the cyber risk director at BDO USA PC, the U.S.-based division of global accountancy BDO International Ltd.

PLANADVISER: What does cybersecurity insurance offer to a plan sponsor?

Taylor: Cyberinsurance offers plan sponsors with a wide range of benefits, including: data breach coverage; compensation for income lost to a cyberincident; cyber extortion assistance and negotiation services; investigation assistance; and coverage toward legal defense costs.

More importantly, cyberinsurance offers plan sponsors with a sense of security by ensuring financial stability in the event of a cyberincident.

PLANADVISER: What are the advantages to having this insurance?

Taylor: In today’s digital world, cyberthreats are rapidly evolving, and an increasing number of organizations are impacted every day by cyberincidents. At this point, it is no longer a matter of “if,” but rather “when” will a cyberincident occur?

Cyberinsurance provides organizations with financial security against damages caused by cyberincidents, which can go beyond revenue loss and include investigation expenses and credit monitoring. Cyberinsurance also provides organizations with legal support during the aftermath of a data breach or privacy violation and underscores a commitment to clients in safeguarding their data.

PLANADVISER: What does cybersecurity insurance NOT cover that people should be aware of?

Taylor: Cybersecurity insurance typically does not cover physical damage, intentional acts such as fraud, theft of intellectual property, or loss of future revenue resulting from cyberincidents. Prior known cyberincidents and those caused by outdated or unsupported software may also be excluded, along with remediation costs to mitigate the likelihood of future incidents.

PLANADVISER: Have costs gone up as cybersecurity threats have risen?

Taylor: In recent years, the cost of cyberinsurance has gone up due to the higher frequency of cyberattacks (particularly ransomware) and a rapidly evolving threat landscape. The cost of cyberinsurance for plan sponsors can vary significantly and is heavily influenced by factors such as their revenue, claims history, coverage limits and existing security measures to mitigate cyber-risk.

PLANADVISER: Finally, should plan advisers be a good resource for plan sponsors? What questions should advisers be prepared to answer on this issue?

Taylor: Yes, plan advisers and consultants are a great starting place to explore cyberinsurance coverages and costs.

Questions to consider:

• What are the industry-specific considerations for plan sponsors?
• What types of incidents are covered by the policy, and what are the policy exclusions?
• What type of coverage does the policy provide for cyberincidents caused by third parties?
• What are the notification requirements for plan sponsors?
• How should plan sponsors report prior known incidents?
• What specific security measures does the policy require? and
• What type of evidence are plan sponsors required to share and how often?