Defined contribution service providers generally have cybersecurity insurance when they take on record keeping and other duties, but defined contribution plan sponsors themselves are more likely to be lacking such coverage.
Some might think that's hard to believe given the level of publicity over breaches at high-profile outlets — even including the Democratic National Committee. But “you'd be surprised” how many DC sponsors are not covered, said Thomas Reagan, managing director and cyber practice leader at insurance broker Marsh Inc., New York.
“Third-party vendor management is one of the most hotly developed areas of cybersecurity because some firms are fundamentally inadequate when it comes to coverage,” Mr. Reagan said. “That's not necessarily their fault; it's costly and very complicated. And with plan sponsors, sometimes defined contribution is an entirely different part of the organization,” whether the sponsoring employer is a private company or a government entity.
There is no legal requirement for plan sponsors or service providers to have cyberinsurance, Mr. Reagan said, “but it's best practice.”
Mr. Reagan said the issue with DC plan coverage is who at a company or governmental agency with a DC plan is responsible for obtaining the insurance.
“It's not necessarily a failure of them to understand that cyber is important; it's that they don't know that cyber is their problem,” Mr. Reagan said. “Maybe some (sponsors) do have checks, but have they asked (vendors) for credentials? It's hard for DC plan fiduciaries to know what to do. People want to do the right thing, they just don't know the right thing to do and sometimes what the right thing to do is. I think it's very easy for a board to ask if they trust a vendor and then move on. But a sponsor plan board is different than an ordinary employer board — there's a higher standard of care required with the plan board. It must be more rigorous.”
Whether DC plans have cyberinsurance coverage generally depends on their size, as the average 401(k) plan has fewer than 100 participants, said Ben Taylor, Chicago-based vice president, defined contribution consultant, at Callan Associates.
“The larger the plans are, you reach a tipping point at which more have cyberinsurance,” Mr. Taylor said. He said Callan's DC client base is generally larger funds with an average of more than $1 billion in assets, and “a significant portion of them do have cyberinsurance.”
Mr. Reagan said DC plan sponsor executives need to be aware that “their fiduciary responsibility extends to their obligation and responsibility to secure data and information.” Even if the plan provider has turned all operational responsibility to the plan sponsor, Mr. Reagan said, “the plan is still a separate construct from the sponsoring company and has responsibility.”
Graig Vicidomino, associate director at Crystal & Co., a New York-based insurance broker, said DC plan sponsors have not asked about cyberinsurance for their plans, but in the past 12 to 24 months, they've been asking much more about the coverage that their current or potential service providers have.
“In past years, it was very rare to get a question from (sponsor) clients asking if the limits of cyberinsurance carried by services providers are adequate. At least twice as many, if not three times as many, of our clients have asked this in the past two years. They're being much more diligent in learning about their service providers' insurance based on what's been in the news” on cyberattacks. “First they ask their service providers for how much coverage they have, then they ask us if that's enough. A lot of law firms are telling their clients to ask these questions, to see if they're comfortable with these (coverage) limits.”
Mr. Vicidomino said he works with money managers, many of which have 401(k) plans and are the ones asking the questions about vendors' coverage levels.