Is cyber insurance worth the cost?

Many advisers think E&O is enough, but these policies target the wayward web

Jan 15, 2017 @ 12:01 am

By Liz Skinner

President-elect Donald Trump has suggested that delivering messages via courier is the only way to protect data from hackers. But cybersecurity experts have a more practical solution for financial advisers: Craft plans for preventing, detecting and reacting to cyberattacks — then protect the business with insurance.

Increasingly, financial advisers are seeking this safety net.

“The bad players are incredibly sophisticated, and every day you read another horror story,” said Patrice Singleton, Biondo Investment Advisors' chief information security officer. “You can have the best practices in place and adopt the best possible solutions, but nothing is foolproof.”

Biondo, a firm with about $500 million in client assets, bought its first cyber insurance policy in 2014, after weighing the $5,100 per year premium cost against the risk of a systems attack. In the end, the firm's leaders decided the insurance was a protection it wanted in place for the business and its clients.

Headline-grabbing cases like Yahoo's billion-account breach and a continuing cybersecurity focus from financial regulators have helped boost the number of advisers buying cyber insurance policies.

Nearly 30% of financial advisory firms have cyber coverage in addition to their typical errors and omissions policies, according to preliminary data from an InvestmentNews adviser technology benchmarking study underway.

About half of advisers reported that their E&O insurance covers a cybersecurity breach, although in some cases only to a limit less than their overall policy, and 29% said they aren't sure whether their current E&O policy would pay out in such an event.

The Investment Adviser Association estimates about a third of advisers have cybersecurity coverage today, up from about 10% in 2014.

“All financial advisers, regardless of their size, should investigate having some type of data security or privacy insurance in place,” said Katherine Dawson Varholak, a partner and cybersecurity expert at the law firm of Sherman & Howard. “Whenever you're handling the sensitive information of customers, you are at risk of a breach, and it can be quite costly.”

Regulators also have instigated adviser interest in policies.

Laura Grossman, IAA assistant general counsel and its cyberexpert, said the Securities and Exchange Commission is asking firms in its sweep examinations if they have cyber insurance. It has told advisers in written guidance that they may want to look into whether such coverage is appropriate.

“Regulators are thinking about it,” Ms. Grossman said.

Both the SEC and the Financial Industry Regulatory Authority Inc. have brought enforcement cases in the past year or so against firms for cybersecurity failures.

Most recently Finra fined a dozen firms a total of $14.4 million for breaches related to the retention of broker-dealers' and customers' electronic records.


Cyber insurance could cover the expense of such regulatory fines, but advisers need to carefully evaluate all the nuances of different policies. They are complex and vary greatly, and most advisers rely on an insurance broker to walk them through all the different exceptions and conditions that can apply, Ms. Grossman said.

Advisers need to evaluate the various ways a cyberattack could damage their particular firm financially and seek policies that cover business expenses such as:

  1. Restoring lost data.
  2. Fixing or replacing damaged hardware or software.
  3. Hiring public relations professionals to prevent reputational damage.
  4. Paying for credit monitoring for affected clients.
  5. Hiring forensic experts to investigate an incident.
  6. Covering the costs of lawsuits, regulatory fines and penalties.
  7. Covering profits lost through fraudulent wire transfers.

Cyber policies would cover the loss of an advisory firm's funds if they were wrongfully taken through an email transfer fraud, but not client funds stolen in such a scheme. Harm to client funds is covered either through E&O policies or by a fidelity bond or financial institution bond, insurance brokers said.

(More: Cyberattack threats to nation's utilities pose credit risk for investors)

Other losses that likely aren't covered by cyber insurance include a firm infecting a client with a virus by mistake or an advisory firm employee crashing a client's network. Generally, the malicious code must impact the insured's systems.

“No advisory firm is the same when it comes to analyzing their exposure to cybersecurity risk,” said Bill Steers, CEO of Gunn Steers & Co., an insurance broker.


Advisers are often surprised about the cyberrisk they face from firms they do business with, several brokers said. Cyber policies can cover advisers for costs that result from breaches that occur at a third party.

The bad players are incredibly sophisticated, and every day you read another horror story.—Patrice Singleton, chief information security officer, Biondo Investment Advisors

Some policies also include employee training and risk management tools such as sample cybersecurity policies and procedures firms can put into place, said Andrew Fotopulos, president of Starkweather & Shepley Insurance Corp. and the broker who Biondo used to buy its cyber policy.

These types of benefits can reduce how much a firm has to pay lawyers or compliance professionals for cybersecurity planning and mitigation, he said.

Cyber policies typically require firms to have strong data handling policies and procedures, and they often require an extensive application to attain the protection, Ms. Varholak said.

(More: 8 ways to protect your advisory firm from cyberattacks)

A growing type of risk cyber insurance can cover is payments in cases of ransomware, a crime in which access to a firm's computer system is blocked until a sum of money is paid.

Such cases are increasing across all industries, said Russel Van Tuyl, an analyst who assesses firm cybersecurity risk for Sword & Shield Enterprise Security Inc. In many cases, firms decide it is easier to pay the ransom and get back to business than to recreate the lost data or systems, he said.

Just as the coverage varies, the cost of cyber insurance premiums is set based on different factors such as the number of records a firm wants to cover, the number of client accounts it has or the number of investment professionals at the firm. The price also is affected by where client records are stored and how much coverage is purchased.

Firms typically spend between $5,000 and $50,000 a year for policies that provide $1 million to $10 million in coverage, Mr. Steers said.

Biondo saw its cyber policy premiums decline from about $5,100 in 2014 to under $3,900 for each of the past two years because its insurer recognized enhancements the firm had made to its cybersecurity program, Ms. Singleton said.

The advisory firm proactively shares guidance on information security with its clients, mostly retail investors and some retirement accounts. It also describes its own data-security procedures and the existence of its $1 million liability policy on its website.

“It's important to our clients,” Ms. Singleton said.


What do you think?

View comments

Upcoming event

Jul 09


Boston Women Adviser Summit

The InvestmentNews Women Adviser Summit, a one-day workshop now held in six cities due to popular demand, is uniquely designed for the sophisticated female adviser who wants to take her personal and professional self to the next level.... Learn more

Most watched


Young advisers envision a radically different business in five years

Fintech and sustainable investing are two factors being watched closely by some of the 2019 class of InvestmentNews' 40 Under 40.


Young professionals see lots of opportunity to reinvent the advice experience

Members of the 2019 InvestmentNews class of 40 Under 40 have strategies to overcome the challenges of being young in a mature industry.

Latest news & opinion

InvestmentNews' 2019 class of 40 Under 40

Our 40 Under 40 project, now in its sixth year, highlights young talent in the financial advice industry. These individuals illustrate the tremendous potential of those coming up in the profession. These stories will surprise, entertain, educate and inspire.

Galvin to propose fiduciary rule for Massachusetts brokers

The secretary of the commonwealth is proposing a fiduciary standard in response to an SEC investment-advice rule he views as too weak.

Summer reading recommendations from financial advisers

Here are some books that will keep you informed and entertained during summer's downtime

4 strategies for Roth conversions

There's never been a better time to do a Roth conversion, and here are several ways to go about it.

Cetera latest to be hit with data breach of personal information

Company is offering clients complimentary, two-year membership to an identity theft protection and credit monitoring service.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print