Close
ThinkAdvisor

Life Health > Health Insurance > Your Practice

Cyber reality check: Are advisors more vulnerable to a data breach?

X
Your article was successfully shared with the contacts you provided.

Cyber security. Cyber breach. Cyber insurance. No longer terms of the future, is your firm ready to address each of these areas?

Experts agree that no matter the size of your business, if you handle Personally Identifiable Information (PII), you had better be prepared to protect it in ways you never considered before.

Or as a regulator ominously stated in response to a recent incident: “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs”.

The Securities & Exchange Commission case in question was settled with R.T. Jones Capital Equities Management in September when it was found that the firm violated the safeguards rule. The St. Louis firm, with assets under management of $481 million and approximately 8,500 accounts, experienced a loss of data on a third-party server via a suspected hack from 2009 to 2013 that exposed the PII of upwards of 100,000 individuals, many of whom were clients of the firm. The firm was fined $75,000 and had to take other precautionary steps to protect those affected.

This is a much more common problem than many realize. We hear about the high profile cases, but a report that tracks data intrusions indicates that there have already been 577 breaches in the country this year with nearly 156 million records exposed. It’s particularly frightening to see the sheer number of businesses and financial services companies that are included on the list. These types of reports are increasingly common since 47 states (plus Washington D.C., Puerto Rico, Guam and the U.S. Virgin Islands) have passed legislation which requires private or government entities to notify individuals of security breaches of information involving PII. Only Alabama, New Mexico and South Dakota have failed to follow suit.

The exposure of records can add up quickly. The financial sector ranks third in the per capita data breach cost at $259 per record lost (behind pharmaceutical and health industries at $298 and $398, respectively).

As a result, the trend of obtaining cyber insurance is on the rise. The Wall Street Journal has reported that advisors are increasing the business-insurance policies they hold and that some are opting for specific coverage that includes “computer fraud and related damages”.

According to the article, premiums for this kind of coverage usually depend on a “firm’s annual revenue, assets under management or number of advisers, as well as the particulars of its data systems—including how solid its securities procedures are and whether maintenance is outsourced.” One insurance broker interviewed for the story says only 50 of his 500-plus adviser-clients have paid for coverage of cyberattacks. “For the financial advisory industry, this is very new,” he said.

The broker goes on to explain why, like many types of insurance, the premium paid would be a better safeguard against the increasing risk of data exposure. He “tried for two years to sell a Connecticut adviser such a policy, without success. Then the firm suspected it was hacked, and paid $4,000 to have an expert check out its systems. It was a false alarm, but that expense equaled one year’s premium”.

There is no doubt that the cyber insurance market is growing significantly each year. A PwC survey estimates that the cyber insurance market will grow from $2.5 billion in cyber insurance premium in 2014 to $7.5 billion in 2020. U.S. companies currently purchase 90 percent of the policies.

Is cyber insurance necessary? It depends on the general protection you have in place and whether you are concerned about absorbing the costs of a potential hack. A cyber insurance policy can address some of the financial costs related to system vulnerability audits. If an intrusion affects your firm, the policy may cover customer protections such as credit monitoring and post-incident public relations and investigations, not to mention possible regulatory fines, legal expenditures and reward monies. It can’t cover everything as you could likely still be subject to lawsuits and customer, data and reputation loss in the event of compromised PII records.

The National Association of Insurance Commissioners notes that the costs of cyber security policies also vary due to wide-ranging information on actuarial data, applicant’s risk management procedures and culture, type of business operation (including its size and scope), type of data collected and stored, etc.

Cyber threats are more real to small- and medium-sized businesses as systems tend to be less secure than corporations.

In other words, if your client data is appealing and reasonably accessible, consider yourself a potential target. 

How can you transform your risk management preparedness and response strategy into a competitive advantage?
 
Introducing ALM’s cyberSecure — A two-day event designed to provide the insights and connections necessary to implement a preparedness and response strategy that changes the conversation from financial risk to competitive advantage.  Learn more about how this inaugural event can help you reduce risk and add business value.

More on this topic