Small and medium size retirement plan sponsor businesses (SMBs) need to strengthen their cybersecurity defenses against AI-powered attacks, according to Richard Clarke, chief insurance officer at Colonial Surety. These attacks often target older retirement account holders, he said.
"Plan sponsors, particularly those SMBs who have fewer resources, are facing mounting pressure to educate participants on recognizing cyber risks, and implementing safeguards to protect against potential cyber attacks, all while managing their ERISA compliance requirements to avoid an alleged fiduciary breach," said
SMBs are also subject to cyber risk exposures from their service providers, particularly through hacking, phishing, manipulation of systems, password breaches and more, Clarke observed.
Carriers insuring SMBs for cyber risks want to see several measures in place, including multi-factor authentication (MFA), endpoint detection and response, secure data backups, and incident response planning, according to Clarke.
Small plan sponsors may not be able to afford the cost of MFA, and that becomes a "deal breaker" for most cyber insurance companies, he added. Most cyber risk insurers would not even cover these small firms if they committed to get MFA in place within 90 days, Clarke said.
One solution is to provide more shallow cyber risk coverage, he added. That can be accomplished with coverage of fiduciary liability from cyber breaches, which can also come in the form of a general fiduciary liability policy with a cyber endorsement added, according to Clarke. Such coverage also addresses allegations of fiduciary breaches that often happen following cyber incidents, he said.
Straightforward cyber insurance is a second layer of protection, following fiduciary liability insurance, Clarke explained. Colonial Surety writes fiduciary liability policies with optional cyber exposure endorsements.
Overall, plan sponsors should aim for a combination of prevention and control to address cyber risks, either by "having knowledgeable people or outsourcing protection and services to knowledgeable and well protected organizations," Clarke said.
