Is cyber insurance worth the cost?

Many advisers think E&O is enough, but these policies target the wayward web

Jan 15, 2017 @ 12:01 am

By Liz Skinner

+ Zoom

President-elect Donald Trump has suggested that delivering messages via courier is the only way to protect data from hackers. But cybersecurity experts have a more practical solution for financial advisers: Craft plans for preventing, detecting and reacting to cyberattacks — then protect the business with insurance.

Increasingly, financial advisers are seeking this safety net.

“The bad players are incredibly sophisticated, and every day you read another horror story,” said Patrice Singleton, Biondo Investment Advisors' chief information security officer. “You can have the best practices in place and adopt the best possible solutions, but nothing is foolproof.”

Biondo, a firm with about $500 million in client assets, bought its first cyber insurance policy in 2014, after weighing the $5,100 per year premium cost against the risk of a systems attack. In the end, the firm's leaders decided the insurance was a protection it wanted in place for the business and its clients.

Headline-grabbing cases like Yahoo's billion-account breach and a continuing cybersecurity focus from financial regulators have helped boost the number of advisers buying cyber insurance policies.

Nearly 30% of financial advisory firms have cyber coverage in addition to their typical errors and omissions policies, according to preliminary data from an InvestmentNews adviser technology benchmarking study underway.

About half of advisers reported that their E&O insurance covers a cybersecurity breach, although in some cases only to a limit less than their overall policy, and 29% said they aren't sure whether their current E&O policy would pay out in such an event.

The Investment Adviser Association estimates about a third of advisers have cybersecurity coverage today, up from about 10% in 2014.

“All financial advisers, regardless of their size, should investigate having some type of data security or privacy insurance in place,” said Katherine Dawson Varholak, a partner and cybersecurity expert at the law firm of Sherman & Howard. “Whenever you're handling the sensitive information of customers, you are at risk of a breach, and it can be quite costly.”

Regulators also have instigated adviser interest in policies.

Laura Grossman, IAA assistant general counsel and its cyberexpert, said the Securities and Exchange Commission is asking firms in its sweep examinations if they have cyber insurance. It has told advisers in written guidance that they may want to look into whether such coverage is appropriate.

“Regulators are thinking about it,” Ms. Grossman said.

Both the SEC and the Financial Industry Regulatory Authority Inc. have brought enforcement cases in the past year or so against firms for cybersecurity failures.

Most recently Finra fined a dozen firms a total of $14.4 million for breaches related to the retention of broker-dealers' and customers' electronic records.

POLICY NUANCES

Cyber insurance could cover the expense of such regulatory fines, but advisers need to carefully evaluate all the nuances of different policies. They are complex and vary greatly, and most advisers rely on an insurance broker to walk them through all the different exceptions and conditions that can apply, Ms. Grossman said.

Advisers need to evaluate the various ways a cyberattack could damage their particular firm financially and seek policies that cover business expenses such as:

  1. Restoring lost data.
  2. Fixing or replacing damaged hardware or software.
  3. Hiring public relations professionals to prevent reputational damage.
  4. Paying for credit monitoring for affected clients.
  5. Hiring forensic experts to investigate an incident.
  6. Covering the costs of lawsuits, regulatory fines and penalties.
  7. Covering profits lost through fraudulent wire transfers.

Cyber policies would cover the loss of an advisory firm's funds if they were wrongfully taken through an email transfer fraud, but not client funds stolen in such a scheme. Harm to client funds is covered either through E&O policies or by a fidelity bond or financial institution bond, insurance brokers said.

(More: Cyberattack threats to nation's utilities pose credit risk for investors)

Other losses that likely aren't covered by cyber insurance include a firm infecting a client with a virus by mistake or an advisory firm employee crashing a client's network. Generally, the malicious code must impact the insured's systems.

“No advisory firm is the same when it comes to analyzing their exposure to cybersecurity risk,” said Bill Steers, CEO of Gunn Steers & Co., an insurance broker.

THIRD-PARTY BREACH

Advisers are often surprised about the cyberrisk they face from firms they do business with, several brokers said. Cyber policies can cover advisers for costs that result from breaches that occur at a third party.

The bad players are incredibly sophisticated, and every day you read another horror story.—Patrice Singleton, chief information security officer, Biondo Investment Advisors

Some policies also include employee training and risk management tools such as sample cybersecurity policies and procedures firms can put into place, said Andrew Fotopulos, president of Starkweather & Shepley Insurance Corp. and the broker who Biondo used to buy its cyber policy.

These types of benefits can reduce how much a firm has to pay lawyers or compliance professionals for cybersecurity planning and mitigation, he said.

Cyber policies typically require firms to have strong data handling policies and procedures, and they often require an extensive application to attain the protection, Ms. Varholak said.

(More: 8 ways to protect your advisory firm from cyberattacks)

A growing type of risk cyber insurance can cover is payments in cases of ransomware, a crime in which access to a firm's computer system is blocked until a sum of money is paid.

Such cases are increasing across all industries, said Russel Van Tuyl, an analyst who assesses firm cybersecurity risk for Sword & Shield Enterprise Security Inc. In many cases, firms decide it is easier to pay the ransom and get back to business than to recreate the lost data or systems, he said.

Just as the coverage varies, the cost of cyber insurance premiums is set based on different factors such as the number of records a firm wants to cover, the number of client accounts it has or the number of investment professionals at the firm. The price also is affected by where client records are stored and how much coverage is purchased.

Firms typically spend between $5,000 and $50,000 a year for policies that provide $1 million to $10 million in coverage, Mr. Steers said.

Biondo saw its cyber policy premiums decline from about $5,100 in 2014 to under $3,900 for each of the past two years because its insurer recognized enhancements the firm had made to its cybersecurity program, Ms. Singleton said.

The advisory firm proactively shares guidance on information security with its clients, mostly retail investors and some retirement accounts. It also describes its own data-security procedures and the existence of its $1 million liability policy on its website.

“It's important to our clients,” Ms. Singleton said.

0
Comments

What do you think?

View comments

Recommended for you

Sponsored financial news

Upcoming Event

Apr 30

Conference

Retirement Income Summit

Join InvestmentNews at the 12th annual Retirement Income Summit - the industry's premier retirement planning conference.Much has changed - and much remains to be learned. Attend and discuss how the future is full of opportunity for ... Learn more

Featured video

Events

What top advisers are doing to stay ahead of the curve

Top advisers understand that they need to work outside the box and focus on generational reach. Susan Kay of MFS Fund Distributors, Inc. explains.

Latest news & opinion

Sen. Gary Peters brings broker background to work every day on Capitol Hill

Michigan Democrat resists ripping up DOL fiduciary rule but would be open to some changes.

DOL fiduciary rule opponents want to push implementation back until 2019

ICI, Chamber of Commerce among groups asking for delay, while Democratic lawmakers call on DOL to keep to its earlier planned schedule of Jan. 1, 2018.

Take 5: Vanguard's new CIO Greg Davis talks bonds, stocks and costs

Having just stepped into the role, this veteran of the firm now oversees $3.8 trillion in assets in more than 300 mutual funds and exchange-traded funds.

Tech companies deploy behavioral finance tools for advisers

They seek to turn knowing more about clients into growing more revenue.

Retirement planning for women

Longer lifespans and lower savings require creative income strategies.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print