It is undeniable that retirement fund trustees face growing risks from cyber threats with the responsibility for managing and mitigating these risks ultimately resting with the board. These funds hold vast amounts of sensitive personal and financial data, making them attractive targets for cybercriminals. Cyber liability insurance has become an essential tool in transferring this risk. However, selecting the right coverage and indeed the right level of cover is not straightforward. Trustees need to navigate a complex landscape of coverage options, legal responsibilities, and evolving threat vectors and there are a number of key factors to be considered when purchasing cyber liability insurance.
Understanding the fund’s risk profile
The starting point is a clear understanding of the fund’s specific risk profile. This includes analysing the nature and volume of the data held, the fund’s adherence to all legislative requirements, the cyber expertise on the board, the specific IT infrastructures used by or for the fund as well as vetting contractual terms and conditions of all third party service providers such as administrators, asset managers, legal and other advisors. Ensuring third party vendors carry their own robust crime, professional liability and cyber cover is essential.
This risk analysis must be done in respect of the full life cycle of the fund, starting with the employer, through to the administrators. Effective 1 June 2025, trustees will be required to establish, publish and implement a robust cybersecurity framework in terms of the Financial Sector Conduct Authority’s (FSCA) Joint Standard on Cybersecurity of 2024. This requirement, including the obligations for training and ongoing testing of the policy, will go as long way to assisting boards in understanding their fund’s unique cyber risk profile.
Scope of coverage
Cyber liability insurance policies can vary widely in terms of what they cover. The market for this class of cover for retirement funds in South Africa is unfortunately extremely limited with only a few insurers providing capacity for the risk. Self-administered funds, who own and operate their own IT platforms should purchase standalone cyber cover which extends to include the business interruption risk of a downtime event, whilst third party administered funds, including umbrella funds which are administered by third party vendors, can usually cover off the cyber exposure under their compulsory Trustee Liability Insurance. Trustees do however need to ensure that any cyber cover extends to both first party and third party liabilities. First party coverage includes losses which the fund incurs itself following a data or cyber breach, whilst third party covers the legal liability of the fund to its members and other third parties following an insured breach.
In general, cyber liability must also include legal defence and regulatory investigation costs following an incident as well as ransomware and, where legally insurable, regulatory fines and penalties. Because trustees may well be held personally liable for not managing and mitigating this growing risk, they must ensure that their personal, or fiduciary liability, is also covered should they ever be challenged following an event.
Limits and sub limits of liability
There simply is no hard and fast rule or methodology for selecting an appropriate limit of indemnity when purchasing cyber insurance. This is no different for retirement funds. Having analysed the risk profile of the fund, and having run various risk scenarios, trustees must also consider factors like whether there are any policy restrictions which limit cover, for example any sub limits on ransomware or data restoration. An analysis of the exclusions should be conducted to ensure there are no specifically unwarranted restrictions being imposed. Trustees must remember that the limit of indemnity usually operates on an annual aggregate basis of cover, including legal costs and all covered loss. It is always recommended that the board consult with expert cyber liability brokers who can benchmark limits, advise on technical aspects of the cover, and who have cyber liability claims experience. Cyber claims can be extremely complex and difficult to manage, often involving the use of legal, forensic and reputational management experts. For this reason, trustees must also be comfortable with the insurer they select, ensuring they too have the necessary financial strength, technical knowhow and expert vendors to deal with claims. Finally, whilst cost is always a consideration, the cheapest policy may not always provide the best protection. Trustees should balance premium costs against the breadth of coverage, claims support, and policy flexibility.