Ullico Executives Tina Fletcher and Marc Zinsmeister recently spoke to the IBEW-NECA on “Preventing & Insuring Data Breaches.” Below is a summary highlighting key points from their talk.

Data breaches are no joke. They can cause interruptions in your operations, result in direct financial losses, jeopardize your reputation, and lead to costly lawsuits. Cyber insurance policies can mitigate some of these losses as one aspect of a well-rounded risk-management plan.

To help multiemployer fund trustees and unions think through their cyber security and insurance strategies, Tina Fletcher, president of Ullico Casualty Group, and Marc Zinsmeister, vice president of information technology, recently spoke on “Preventing & Insuring Data Breaches” during the 2021 IBEW-NECA Employee Benefits Conference.

“If you fail to notice the breach in time, the breach can really become so big that it can become impossible to contain it,” Fletcher warned. “And on average, it takes 206 days to identify and 73 days to contain a breach – so that’s almost a year.”

Due to this lengthy resolution process, along with stiffer state and federal regulations, the costs associated with data breaches are increasing. In fact, the average cost of a data breach is $3.86 million. That price tag can easily go up if protected health information is involved.

“Cyber law is really complicated, because all 50 states have their own set of rules. For example, if your fund is domiciled in, let’s say, Chicago, and you have retirees that moved to warmer climes like Florida, California, Arizona, then you’re going to need to follow regulations in those states,” said Fletcher. “So you need to follow the regulations for each state in which you have participants residing at the time of the breach, not where your fund is domiciled.”

Cyber Insurance: What to Expect in 2021

Unions and multiemployer plans without proper loss control procedures are putting sensitive member and participant information at risk as well as plan assets. The stakes are so high that it’s not enough to reflexively rely on your vendors. “A lot of trustees think, ‘Hey, it’s the TPA’s responsibility,’ but you as trustees are still ultimately responsible for your data,” Fletcher said. “What happens if your TPA doesn’t have enough insurance? You can get a cyber policy that extends to your data wherever it’s located, even if it’s with a vendor.”

Heading into the new year, multiemployer funds and unions should expect premiums for cyber insurance to increase. “Knowing the high cost of cyber claims and the growing number of cyber claims, for most of us it isn’t really a shocker that there will be a huge increase in premiums going forward,” said Fletcher. The good news is that policies will start to be more consistent in their coverage.

Still, funds and unions should plan for longer applications, as more insurers will require documentation of the loss control measures that they have in place to minimize the risk of a breach. The documentation is necessary in order to satisfy the demands of reinsurers. “The reinsurance [companies are] requiring that your insurance carrier have them in place, or you can’t buy the insurance,” Fletcher explained.

Zinsmeister walked participants through a list of loss control procedures that unions will be required to have in place in order to obtain or renew a policy, including the use of firewalls, anti-virus and anti-malware software, multifactor authentication, off-site backups of data, base-level encryption, training and testing, and more.

Most importantly, unions will need written policies and procedures that address their cybersecurity controls. They’re so important that unions need third-party consultants to review policies on a periodic basis. “The policies really dictate all of these loss controls measures,” said Zinsmeister. “Having a third party come in and check them, and draft them in some cases, is beneficial to ensure there aren’t any gaps and that they cover the newest threats.”