5 Key Coverage Elements of a Comprehensive Cyber Insurance Program for Registered Investment Advisers

The following article originally appeared in Align’s National Cyber Security Awareness Month (NCSAM) Article Series. 

For investment advisory firms purchasing insurance to protect against a cyber incident, it is important to note that not all policies are created equal. Many such policies were written to address cyber risk for general commercial businesses and not necessarily with financial services firms, and their unique risk profile, in mind.

The business profile of a Registered Investment Adviser is different than that of your standard small business, as managing high net worth or institutional assets brings with it a unique set of risks, especially as it relates to cyber and data security.

RIAs collect a lot of confidential, personally identifiable information, as well as non-public private information, from their clients. Additionally, access to computer systems and telephony is a critical part of business infrastructure. Denied access to networks or telephone systems would cause a major disruption to any small, service-based business, let alone an RIA.

Other concerns specific to RIA cyber risk include fines and penalties, loss of fee-based revenue, regulatory defense costs, and, perhaps most importantly, the loss of customer capital as a result of a social engineering scam. This means that reviewing insuring agreements and policy provisions is more important than ever.

Understand Your 3^rd Party Liability Coverage

3^rd Party Liability Coverage provides protection for an adviser for liability resulting from a data/privacy security incident. The most important types of 3^rd Party Liability Coverage are Privacy, Network Security & Media Liability.

Privacy Breach: Liability arising out of the disclosure of personally identifiable information and, in some cases, non-public private and confidential information.

Network Security Incident: Liability arising out of unauthorized access, a denial of service attack, or the downloading of malicious code.

Media Liability: Liability which arises from defamation, slander, libel, and copyright infringement.

Additionally, while most policies’ coverage includes regulatory defense expenses, fines and penalties are only covered under select policies. Broader policies will include coverage for regulatory fines and penalties; however, the insurability of fines and penalties by regulators is contingent on state domicile and whether coverage is allowed by state law. In any case, such coverage is an important component of any comprehensive cyber insurance strategy. 

What 1^st Party Coverage Does My Policy Include?

1^st Party Coverage is made up of the elements of protection which would provide an insured adviser with coverage for direct costs resulting from a cyber incident.

1^st Party Coverage Would Include:

• Business Income and Extra Expense coverage
• Public Relations and Crisis Management costs
• Notification Expenses
• Forensic costs to investigate a cyber event
• Software and Electronic Data Restoration
• E-Extortion Expenses
• Cyber Crime and Social Engineering

While some 1^st and 3^rd party insuring agreements are automatically included as part of “cyber package” policies, some offerings may not fully relate to the needs of an RIA and, as such, should be removed. For example, why would an RIA need coverage for PCI Fines and Penalties when they don’t accept credit cards? And, why have coverage for Business Income Loss if an RIA couldn’t possibly prove a loss of business income (e.g. advisory fees on managed assets) due to a cyber breach? Moreover, many policies specifically state that business income shall not include “fees,” which, in most cases, would preclude an adviser from collecting on any loss of income.

5 Things Every Investment Adviser Should Consider:

1. Evaluate your Business Income Coverage:

You may be paying for coverage which will never apply. Alternately, the calculation methodology may not meet your business needs

2. Beware of Problematic Exclusions:

Make sure your policy doesn’t exclude acts of foreign enemies. We believe that any unauthorized access or cyberbreach could be construed as an act of a foreign enemy, leaving you without coverage. 

Remove any exclusion related to failure to patch software (e.g. Petya Virus). This type of exclusion is clearly problematic given that the recent Petya Ransomware attack can be traced back to a vulnerability in Microsoft software. If an insured adviser was impacted by such a ransomware attack, no coverage would have been available.

3. Make sure your incident response team and related vendors are approved by your insurance carrier in advance of any incident, as it is required by some carriers.

4. Coverage for Social Engineering Crimes and loss of customer capital may have to be added to your policy or at a minimum, you may need to secure this coverage separately.

5. Be sure consultants, vendors, and independent contractors are covered by your policy. There are numerous instances where consultants, vendors and independent contractors have access to RIA systems and networks. Vicarious Liability for such individuals must be contemplated as part of a robust cyber insurance program!

For more information, contact Louis D’Agostino of Iron Cove (Now EPIC Brokers & Consultants) at 646-452-4031 or lou.dagostino@epicbrokers.com Additionally, visit www.ironcoveins.com.