The following article originally appeared in Align’s National Cyber Security Awareness Month (NCSAM) Article Series.
For investment advisory firms purchasing insurance to protect against a cyber incident, it is important to note that not all policies are created equal. Many such policies were written to address cyber risk for general commercial businesses and not necessarily with financial services firms, and their unique risk profile, in mind.
The business profile of a Registered Investment Adviser is different than that of your standard small business, as managing high net worth or institutional assets brings with it a unique set of risks, especially as it relates to cyber and data security.
RIAs collect a lot of confidential, personally identifiable information, as well as non-public private information, from their clients. Additionally, access to computer systems and telephony is a critical part of business infrastructure. Denied access to networks or telephone systems would cause a major disruption to any small, service-based business, let alone an RIA.
Other concerns specific to RIA cyber risk include fines and penalties, loss of fee-based revenue, regulatory defense costs, and, perhaps most importantly, the loss of customer capital as a result of a social engineering scam. This means that reviewing insuring agreements and policy provisions is more important than ever.
Understand Your 3rd Party Liability Coverage
3rd Party Liability Coverage provides protection for an adviser for liability resulting from a data/privacy security incident. The most important types of 3rd Party Liability Coverage are Privacy, Network Security & Media Liability.
Privacy Breach: Liability arising out of the disclosure of personally identifiable information and, in some cases, non-public private and confidential information.
Network Security Incident: Liability arising out of unauthorized access, a denial of service attack, or the downloading of malicious code.
Media Liability: Liability which arises from defamation, slander, libel, and copyright infringement.
Additionally, while most policies’ coverage includes regulatory defense expenses, fines and penalties are only covered under select policies. Broader policies will include coverage for regulatory fines and penalties; however, the insurability of fines and penalties by regulators is contingent on state domicile and whether coverage is allowed by state law. In any case, such coverage is an important component of any comprehensive cyber insurance strategy.
What 1st Party Coverage Does My Policy Include?
1st Party Coverage is made up of the elements of protection which would provide an insured adviser with coverage for direct costs resulting from a cyber incident.
1st Party Coverage Would Include:
- Business Income and Extra Expense coverage
- Public Relations and Crisis Management costs
- Notification Expenses
- Forensic costs to investigate a cyber event
- Software and Electronic Data Restoration
- E-Extortion Expenses
- Cyber Crime and Social Engineering
While some 1st and 3rd party insuring agreements are automatically included as part of “cyber package” policies, some offerings may not fully relate to the needs of an RIA and, as such, should be removed. For example, why would an RIA need coverage for PCI Fines and Penalties when they don’t accept credit cards? And, why have coverage for Business Income Loss if an RIA couldn’t possibly prove a loss of business income (e.g. advisory fees on managed assets) due to a cyber breach? Moreover, many policies specifically state that business income shall not include “fees,” which, in most cases, would preclude an adviser from collecting on any loss of income.
5 Things Every Investment Adviser Should Consider:
1. Evaluate your Business Income Coverage:
You may be paying for coverage which will never apply. Alternately, the calculation methodology may not meet your business needs
2. Beware of Problematic Exclusions:
Make sure your policy doesn’t exclude acts of foreign enemies. We believe that any unauthorized access or cyberbreach could be construed as an act of a foreign enemy, leaving you without coverage.
Remove any exclusion related to failure to patch software (e.g. Petya Virus). This type of exclusion is clearly problematic given that the recent Petya Ransomware attack can be traced back to a vulnerability in Microsoft software. If an insured adviser was impacted by such a ransomware attack, no coverage would have been available.
3. Make sure your incident response team and related vendors are approved by your insurance carrier in advance of any incident, as it is required by some carriers.
4. Coverage for Social Engineering Crimes and loss of customer capital may have to be added to your policy or at a minimum, you may need to secure this coverage separately.
5. Be sure consultants, vendors, and independent contractors are covered by your policy. There are numerous instances where consultants, vendors and independent contractors have access to RIA systems and networks. Vicarious Liability for such individuals must be contemplated as part of a robust cyber insurance program!
Lou D’Agostino is a dynamic senior insurance professional with nearly 17 years of experience in the financial services industry. He is presently serving as Principle of Iron Cove, a division of EPIC Brokers. In his current role, Mr. D’Agostino oversees a group of talented insurance professionals that offer a full suite of insurance products and consulting services to some of the nation’s wealthiest families/high net-worth clients and largest organizations. He is dedicated to business/new product development and large account placement, resulting in a proven track record of successful negotiation of even the most challenging of claims such as Madoff, investor litigation, and SEC/DOJ enforcement. As part of his work at Iron Cove, Mr. D’Agostino’s expertise has been called upon by a variety of industry trade groups. He has presented to the Financial Executives Alliance (FEA), the NYSSCPA, and other peer groups on a wide array of insurance related topics. He also presented at GAIMops, a leading financial services conference focusing on non-investment operations, on the topic of AIFMD and the associated insurance implications.
Iron Cove is a Division of EPIC Brokers and represents over 400+ Financial Institutions. With over 1500 Employees, 50 Offices in the US and over $500mm in annualized revenues, we currently rank as one the largest privately held insurance brokerages in the US. Iron Cove has been named Best US and Global Insurance Provider by Hedgeweek Two (2) years running.