Is cyber insurance worth the cost?

President-elect Donald Trump has suggested that delivering messages via courier is the only way to protect data from hackers. But cybersecurity experts have a more practical solution for financial advisers: Craft plans for preventing, detecting and reacting to cyberattacks — then protect the business with insurance. Increasingly, financial advisers are seeking this safety net. “The bad players are incredibly sophisticated, and every day you read another horror story,” said Patrice Singleton, Biondo Investment Advisors' chief information security officer. “You can have the best practices in place and adopt the best possible solutions, but nothing is foolproof.” Biondo, a firm with about $500 million in client assets, bought its first cyber insurance policy in 2014, after weighing the $5,100 per year premium cost against the risk of a systems attack. In the end, the firm's leaders decided the insurance was a protection it wanted in place for the business and its clients. Headline-grabbing cases like Yahoo's billion-account breach and a continuing cybersecurity focus from financial regulators have helped boost the number of advisers buying cyber insurance policies. Nearly 30% of financial advisory firms have cyber coverage in addition to their typical errors and omissions policies, according to preliminary data from an InvestmentNews adviser technology benchmarking study underway. About half of advisers reported that their E&O insurance covers a cybersecurity breach, although in some cases only to a limit less than their overall policy, and 29% said they aren't sure whether their current E&O policy would pay out in such an event. The Investment Adviser Association estimates about a third of advisers have cybersecurity coverage today, up from about 10% in 2014. “All financial advisers, regardless of their size, should investigate having some type of data security or privacy insurance in place,” said Katherine Dawson Varholak, a partner and cybersecurity expert at the law firm of Sherman & Howard. “Whenever you're handling the sensitive information of customers, you are at risk of a breach, and it can be quite costly.” Regulators also have instigated adviser interest in policies. Laura Grossman, IAA assistant general counsel and its cyberexpert, said the Securities and Exchange Commission is asking firms in its sweep examinations if they have cyber insurance. It has told advisers in written guidance that they may want to look into whether such coverage is appropriate. “Regulators are thinking about it,” Ms. Grossman said. Both the SEC and the Financial Industry Regulatory Authority Inc. have brought enforcement cases in the past year or so against firms for cybersecurity failures. Most recently Finra fined a dozen firms a total of $14.4 million for breaches related to the retention of broker-dealers' and customers' electronic records.

POLICY NUANCES

Cyber insurance could cover the expense of such regulatory fines, but advisers need to carefully evaluate all the nuances of different policies. They are complex and vary greatly, and most advisers rely on an insurance broker to walk them through all the different exceptions and conditions that can apply, Ms. Grossman said. Advisers need to evaluate the various ways a cyberattack could damage their particular firm financially and seek policies that cover business expenses such as:

1. Restoring lost data.
2. Fixing or replacing damaged hardware or software.
3. Hiring public relations professionals to prevent reputational damage.
4. Paying for credit monitoring for affected clients.
5. Hiring forensic experts to investigate an incident.
6. Covering the costs of lawsuits, regulatory fines and penalties.
7. Covering profits lost through fraudulent wire transfers.

Cyber policies would cover the loss of an advisory firm's funds if they were wrongfully taken through an email transfer fraud, but not client funds stolen in such a scheme. Harm to client funds is covered either through E&O policies or by a fidelity bond or financial institution bond, insurance brokers said. (More: Cyberattack threats to nation's utilities pose credit risk for investors) Other losses that likely aren't covered by cyber insurance include a firm infecting a client with a virus by mistake or an advisory firm employee crashing a client's network. Generally, the malicious code must impact the insured's systems. “No advisory firm is the same when it comes to analyzing their exposure to cybersecurity risk,” said Bill Steers, CEO of Gunn Steers & Co., an insurance broker.

THIRD-PARTY BREACH

Advisers are often surprised about the cyberrisk they face from firms they do business with, several brokers said. Cyber policies can cover advisers for costs that result from breaches that occur at a third party.

“The bad players are incredibly sophisticated, and every day you read another horror story.”—Patrice Singleton, chief information security officer, Biondo Investment Advisors

Some policies also include employee training and risk management tools such as sample cybersecurity policies and procedures firms can put into place, said Andrew Fotopulos, president of Starkweather & Shepley Insurance Corp. and the broker who Biondo used to buy its cyber policy. These types of benefits can reduce how much a firm has to pay lawyers or compliance professionals for cybersecurity planning and mitigation, he said. Cyber policies typically require firms to have strong data handling policies and procedures, and they often require an extensive application to attain the protection, Ms. Varholak said. (More: 8 ways to protect your advisory firm from cyberattacks) A growing type of risk cyber insurance can cover is payments in cases of ransomware, a crime in which access to a firm's computer system is blocked until a sum of money is paid. Such cases are increasing across all industries, said Russel Van Tuyl, an analyst who assesses firm cybersecurity risk for Sword & Shield Enterprise Security Inc. In many cases, firms decide it is easier to pay the ransom and get back to business than to recreate the lost data or systems, he said. Just as the coverage varies, the cost of cyber insurance premiums is set based on different factors such as the number of records a firm wants to cover, the number of client accounts it has or the number of investment professionals at the firm. The price also is affected by where client records are stored and how much coverage is purchased. Firms typically spend between $5,000 and $50,000 a year for policies that provide $1 million to $10 million in coverage, Mr. Steers said. Biondo saw its cyber policy premiums decline from about $5,100 in 2014 to under $3,900 for each of the past two years because its insurer recognized enhancements the firm had made to its cybersecurity program, Ms. Singleton said. The advisory firm proactively shares guidance on information security with its clients, mostly retail investors and some retirement accounts. It also describes its own data-security procedures and the existence of its $1 million liability policy on its website. “It's important to our clients,” Ms. Singleton said.