The following article originally appeared in Align’s National Cyber Security Awareness Month (NCSAM) Article Series.
For investment advisory firms purchasing insurance to protect against a cyber incident, it is important to note that not all policies are created equal. Many such policies were written to address cyber risk for general commercial businesses and not necessarily with financial services firms, and their unique risk profile, in mind.
The business profile of a Registered Investment Adviser is different than that of your standard small business, as managing high net worth or institutional assets brings with it a unique set of risks, especially as it relates to cyber and data security.
RIAs collect a lot of confidential, personally identifiable information, as well as non-public private information, from their clients. Additionally, access to computer systems and telephony is a critical part of business infrastructure. Denied access to networks or telephone systems would cause a major disruption to any small, service-based business, let alone an RIA.
Other concerns specific to RIA cyber risk include fines and penalties, loss of fee-based revenue, regulatory defense costs, and, perhaps most importantly, the loss of customer capital as a result of a social engineering scam. This means that reviewing insuring agreements and policy provisions is more important than ever.
Understand Your 3rd Party Liability Coverage
3rd Party Liability Coverage provides protection for an adviser for liability resulting from a data/privacy security incident. The most important types of 3rd Party Liability Coverage are Privacy, Network Security & Media Liability.
Privacy Breach: Liability arising out of the disclosure of personally identifiable information and, in some cases, non-public private and confidential information.
Network Security Incident: Liability arising out of unauthorized access, a denial of service attack, or the downloading of malicious code.
Media Liability: Liability which arises from defamation, slander, libel, and copyright infringement.
Additionally, while most policies’ coverage includes regulatory defense expenses, fines and penalties are only covered under select policies. Broader policies will include coverage for regulatory fines and penalties; however, the insurability of fines and penalties by regulators is contingent on state domicile and whether coverage is allowed by state law. In any case, such coverage is an important component of any comprehensive cyber insurance strategy.
What 1st Party Coverage Does My Policy Include?
1st Party Coverage is made up of the elements of protection which would provide an insured adviser with coverage for direct costs resulting from a cyber incident.
1st Party Coverage Would Include:
- Business Income and Extra Expense coverage
- Public Relations and Crisis Management costs
- Notification Expenses
- Forensic costs to investigate a cyber event
- Software and Electronic Data Restoration
- E-Extortion Expenses
- Cyber Crime and Social Engineering
While some 1st and 3rd party insuring agreements are automatically included as part of “cyber package” policies, some offerings may not fully relate to the needs of an RIA and, as such, should be removed. For example, why would an RIA need coverage for PCI Fines and Penalties when they don’t accept credit cards? And, why have coverage for Business Income Loss if an RIA couldn’t possibly prove a loss of business income (e.g. advisory fees on managed assets) due to a cyber breach? Moreover, many policies specifically state that business income shall not include “fees,” which, in most cases, would preclude an adviser from collecting on any loss of income.
5 Things Every Investment Adviser Should Consider:
1. Evaluate your Business Income Coverage:
You may be paying for coverage which will never apply. Alternately, the calculation methodology may not meet your business needs
2. Beware of Problematic Exclusions:
Make sure your policy doesn’t exclude acts of foreign enemies. We believe that any unauthorized access or cyberbreach could be construed as an act of a foreign enemy, leaving you without coverage.
Remove any exclusion related to failure to patch software (e.g. Petya Virus). This type of exclusion is clearly problematic given that the recent Petya Ransomware attack can be traced back to a vulnerability in Microsoft software. If an insured adviser was impacted by such a ransomware attack, no coverage would have been available.
3. Make sure your incident response team and related vendors are approved by your insurance carrier in advance of any incident, as it is required by some carriers.
4. Coverage for Social Engineering Crimes and loss of customer capital may have to be added to your policy or at a minimum, you may need to secure this coverage separately.
5. Be sure consultants, vendors, and independent contractors are covered by your policy. There are numerous instances where consultants, vendors and independent contractors have access to RIA systems and networks. Vicarious Liability for such individuals must be contemplated as part of a robust cyber insurance program!
About the Author
Louis D’Agostino, President & Financial Services Practice Leader of Iron Cove Partners, LLC
Louis D’Agostino is a dynamic senior insurance professional with nearly 17 years of experience in the financial services industry. He is presently serving as the President and Financial Services Practice Leader of Iron Cove Partners, LLC. He is dedicated to business and product development and large account placement, resulting in a proven track record of successful negotiation of even the most challenging of claims such as Madoff, investor litigation, and SEC/DOJ enforcement. As part of his work at Iron Cove Partners, Mr. D’Agostino’s expertise has been called upon by a variety of industry trade groups. Prior to accepting his role with Iron Cove Partners, LLC, Mr. D’Agostino spent 10 years working for Frank Crystal & Co., a NYC-based insurance agency founded in 1933. His final role with the organization was as a Director in the Financial Services Department where he was able to perfect his negotiation skills. He successfully placed Management and Professional Liability Insurance on behalf of numerous financial institutions including hedge and private equity funds, registered investment advisors, securities dealers, and consultants. With a diverse battery of skills and experience, Mr. D’Agostino has managed accounts for commercial businesses including real estate, not-for-profits, manufacturing, retail, and tech firms.