The following article originally appeared in Align’s National Cyber Security Awareness Month (NCSAM) Article Series.
Cyber breaches. Rarely does a day go by without breaking news on yet another high-profile attack. Equifax. Yahoo. Target. Home Depot. Ashley Madison. Even the governing body of the financial services sector, the powerful Securities and Exchange Commission, announced their EDGAR Database was compromised in late 2016. The more notable the target, the bigger the headline. But, it isn’t only multinational corporations and government entities which are breached.
Cyber risks are ever-present for businesses of all sizes, and Registered Investment Advisers and Investment Managers are no exception. Along with an increasing frequency of attacks, the cost and severity of attacks continue to rise, as well. The need for a robust cyber insurance program has never been greater.
Over the last several years, C-Suite executives at investment advisory firms began to monitor and track the evolution of cyber risks, particularly as it related to the increasing complexity of data and privacy security issues for their firms. This has led to the internal development of policies and procedures, as well as incident response plans, to prepare for and prevent such an attack. Simultaneously, we have seen a significant uptick in resources assigned to intrusion detection and penetration testing. Without question, these are signs that firms are beginning to take a proactive approach to cybersecurity.
The last SEC alert, from the Office of Compliance and Inspections and Examinations, concluded that advisories have dedicated more resources to guard against these potential risks, citing an increased level of preparedness since its last initiative, back in 2014. Of course, cybersecurity remains a priority for SEC regulators, as well as other Self-Regulatory Organizations.
What are the Risks?
Incident response plans are designed for occasions when personally identifiable information (PII), non-public private information (NPPI), confidential employee records, trade secrets, or intellectual property are divulged. A breach which would make this information vulnerable may occur by way of malware; social engineering attacks; lost or stolen devices, such as laptops and storage devices; malicious insiders; or unintended disclosure.
Pointedly, malware attacks, which infect networks and shut-down computer systems, can be a major disruption to an investment advisory’s business.
Internal Costs to a Firm
- Investigation to uncover the scope and nature of the breach
- Containment and preservation of existing systems and data
- Ex-post response
External Costs to the Firm
- Loss or theft of information
- Business disruption
- Damage to equipment
- Loss of revenue and additional expenses
- Loss of Customer Assets
With such high costs associated with a breach, it is clear that insurance should be a part of every advisory’s cybersecurity program. And, yet, only 35% of advisors carry such coverage.
Why Should Advisors Carry Insurance?
In the event of a data security and privacy breach, the costs associated with putting an incident response plan into action are high. According to
the Ponemon Institute’s Cost of Cyber Crime Study, the median annualized cost of a 2016 cyber-crime is $6.7MM, up from $5.5MM only a year earlier.
Ultimately, this is a cost which, with an appropriate internal risk assessment, could have been wholly transferred to an insurer.
Regulatory Guidance and Operational Best Practices
When regulators make “suggestions” and provide “guidance,” as to what a robust cybersecurity program should look like, it would be foolish not to take heed. Since 2015, RIAs have consistently been put on notice that the SEC considers cyber insurance to be part of a balanced, robust security program. At the same time, all industry regulators have made cybersecurity a top priority, dedicating significant resources to the cause.
The implementation of these best practices demonstrates that firms take these risks seriously, instituting a culture of compliance and consumer protection. However, for those firms which take business continuity seriously, there is no substitute for cyber insurance.
Investor Due Diligence
Operational due diligence, conducted by larger institutional investors when determining which RIAs are suitable investment risks, most certainly requires that firms have adequate policies and procedures in place to deal with the potential of a cyber incident, in addition to adequate coverage to manage the aftermath of such an attack.
Cyber Coverage Still Underpriced, Set to Increase – Act Now to Lock in Lower Rates
With premiums in the range of $2,500 to $4,500 per million dollars of coverage, rates remain at historic lows due to an influx of new carriers and increased capacity. For now, cyber coverage remains cost-effective and economically feasible. However, as the number of claims increase, the costs associated with this type of coverage will increase, as well. Now is the time for RIA executives to take advantage of competitive premium rates in a very soft insurance market.
About the Author
Louis D’Agostino, President & Financial Services Practice Leader of Iron Cove Partners, LLC
Louis D’Agostino is a dynamic senior insurance professional with nearly 17 years of experience in the financial services industry. He is presently serving as the President and Financial Services Practice Leader of Iron Cove Partners, LLC. He is dedicated to business and product development and large account placement, resulting in a proven track record of successful negotiation of even the most challenging of claims such as Madoff, investor litigation, and SEC/DOJ enforcement. As part of his work at Iron Cove Partners, Mr. D’Agostino’s expertise has been called upon by a variety of industry trade groups. Prior to accepting his role with Iron Cove Partners, LLC, Mr. D’Agostino spent 10 years working for Frank Crystal & Co., a NYC-based insurance agency founded in 1933. His final role with the organization was as a Director in the Financial Services Department where he was able to perfect his negotiation skills. He successfully placed Management and Professional Liability Insurance on behalf of numerous financial institutions including hedge and private equity funds, registered investment advisors, securities dealers, and consultants. With a diverse battery of skills and experience, Mr. D’Agostino has managed accounts for commercial businesses including real estate, not-for-profits, manufacturing, retail, and tech firms.