Purchasing a cyberinsurance policy increasingly makes sense to many financial advisory firms. But there still are firms which do not buy dedicated insurance for protection from cyberattacks.
Some may think they are duplicative, too costly, or just unnecessary. Others, however, believe cyber-insurance is now a fixed cost of doing business in the age of cyberattacks.
Still, just how many financial advisors have cyber coverage is difficult to total. One reason is that some financial advisory firms may be getting cyberriders or endorsements to existing insurance — such as on an errors and omissions policy or a business interruption policy — rather than getting a “comprehensive” cyber-insurance policy, Carl Metzger, an attorney at Goodwin Procter, explained.
Financial advisors are also seen sometimes as less interested in cyberinsurance than other financial sector businesses. On top of this, only 29 percent of advisors questioned in a 2016 survey by the Financial Planning Association (FPA) completely agreed they were “fully prepared to manage and mitigate the risks associated with cybersecurity.”
“I would say the financial advisory community has had a bit of a lagging interest level as well as appetite in cyberinsurance vs. other financial institutions,” says Anton Lavrenko, deputy regional head and financial institutions cyber practice leader, North America, at Allianz Global Corporate & Specialty. “Having said that, we … have been noticing a recent spike in the interest, but we feel like this recent change is more of a ‘check the box’ type of exercise given FINRA and other regulatory bodies’ examinations and inquiries.”
From the policy holder’s view, cyberinsurance policies are often limited in what they cover, too. Walter Andrews, an attorney at Hunton & Williams, said, “Unfortunately, there still are numerous gaps in cyberinsurance coverage since it is such a new product … and they vary by insurance company.”
Some noteworthy gaps Andrews finds are: the lack of coverage for many breach of contract claims, exclusions for many regulatory actions, exclusions for cyber thefts by state-trained bad actors, and exclusions for infrastructure failure and property damage.
Even if they have a policy, financial firms should take precautions on their own, such as on training and planning. Lavrenko describes the policy as “the last line of defense when all else fails.”
“You don’t deal with this risk simply by just buying an insurance policy,” Metzger advises. “You better be doing a lot proactively.”
From his vantage point, Metzger says that five or 10 years ago, it was just a “small minority” of financial advisory firms who were purchasing cyberinsurance. “That number has grown over time,” he said.
Walter Andrews, an attorney at Hunton & Williams, attributes the increased interest in cyberinsurance to the growing number of hacking incidents, and how the “investment industry” has seen “several high-profile breaches … and is particularly vulnerable to cybersecurity breaches given the type of confidential personal and financial information that it controls.”
The trend comes, too, as there is greater awareness of cybersecurity among financial advisors, Metzger said. In fact, some 81 percent of financial advisors called cybersecurity a “high priority,” according to the FPA survey.
Many professionals caution against a one-size fits all cyberinsurance policy for financial advisors. As a starting point, Andrews said the policy should cover both “first-party breach response costs — counsel, forensic investigators, etc. — as well as liability coverage if clients bring claims or suits if their data is accessed. And, they need to have coverage for social engineering fraud, either through their cyber policy and/or through their crime policy, particularly given requests to transfer funds, etc.”
Also, Lavrenko said financial advisors should buy coverage at least which addresses “security failures and privacy breaches, [such as] notification, forensics expenses, breach coaching expenses, etc., as well as cyber extortion events whose frequency has been ticking up recently….” Also, he recommends including preventative cyber incident services, vulnerability scanning and cyber security awareness training.
More fundamentally, he said, customers want a “guarantee of a safety net and that’s what the cyberinsurance policy provides to the customers of its policyholders.”
Another concern is whether clients of a financial firm be allowed to find out about the insurance. Andrews says they should. “I think that clients want to be reassured that their advisors are sufficiently insured so that they will remain in business if they are hacked,” he said. “They don’t want their advisors to risk going bankrupt if they don’t have sufficient insurance, as that may impact the clients’ investment portfolio.”
“Financial advisory firms care very much about their reputation in the marketplace,” Metzger added. “They want to make customers feel like they were prepared.”