As employers and defined contribution plan fiduciaries navigate and negotiate the terms of cyber insurance policies, they also must deal with the fine print of their agreements with record keepers to make sure what they cover and don't cover for a cyberattack and its aftermath.
The warning was sounded in April by the Department of Labor, which issued a series of cybersecurity tips to sponsors focusing on their relationship with record keepers and citing insurance coverage as one key element.
"Be sure to understand the terms and limits of any coverage before relying upon it as a protection from loss," counseled the DOL in discussing what sponsors should do in negotiating contracts with record keepers.
"There is language in the guidance that the department believes fiduciary duties include taking action to protect participants from unlawful disclosure" of data, said Elliot D. Raff, of counsel with the Washington-based law firm Keightley & Ashner LLP. "The fiduciaries have to be very attentive to the record keepers," he said.
Although the DOL's recommendations lack the same legal status as a formal regulation, the DOL's detailed discussion about cyber insurance and other cybersecurity matters should send a strong message to sponsors about their dealing with record keepers, he said. "These tips are clearly saying that prudence is necessary in addressing questions about cybersecurity," he said.
The DOL documents offer suggestions for online security, best practices and fiduciaries' selection of record keepers.
"Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches," the DOL said. Such breaches could include action by employees as well as by contractors or "external threats, such as a third party hijacking a plan participant's account."
To assist clients in following the DOL's suggestions, Mr. Raff's firm offers a three-page checklist for fiduciaries when dealing with a record keeper, as well as, for example, a payroll provider, and administrative service provider and an institutional trustee.
Among the checklist items was the question if a service provider has an insurance policy "that would cover losses caused by cybersecurity and identity theft breaches."
If so, did the sponsor "determine that the amount of coverage was appropriate under the circumstances"? And does the insurance cover cybersecurity and identity theft breaches by employees, contractors and "outside cyberthieves."
"Answering 'yes' to questions provides a degree of assurance but is no guarantee that fiduciary conduct would be consider prudent," according to the checklist. A "no" answer means "consideration should be given to potential changes in policy, procedures, contract terms and/or monitoring, as appropriate."