Cybersecurity insurance: What advisors need to know
Fear of the potentially catastrophic impact of cybercrime is leading many planners to seek insurance specifically tailored to fight high-tech perils.
“They want it,” says Daniel Bernstein, securities lawyer at financial consulting firm MarketCounsel. “At the same time, there are no requirements for cyber-insurance.” Just like figuring out actual technological defenses against hacking, choosing the right insurance coverage to fight new and emerging threats can be difficult.
“It’s complicated,” says insurance broker Andrew Fotopulos. “There’s not one off-the-shelf solution.”
Because there’s no one-size-fits-all cyber insurance for advisors, they will generally need to buy several different policies, says Fotopulos, president of Starkweather & Shepley Insurance. The key is to understand how to coordinate coverage – and that means advisors have to know their own specific areas of exposure, as well as differences between policies and their exclusions.
For many advisors, two of biggest cyber-related insurance concerns center on wire transfer fraud and regulatory oversight issues.
“A lot of advisors don’t understand that email fund transfer fraud isn’t covered under all cyber policies,” Fotopulos explains. Most cyber policies exclude coverage for wire transfer fraud if the claimant didn’t follow the Uniform Commercial Code, which requires a procedure that includes a callback and encryption.
Fotopulos cites the example of a client firm that received a fraudulent wire transfer request for $250,000 via email. The chief compliance officer was on vacation overseas, and an employee completed the transfer without following the firm’s stated procedures. The company had three types of relevant insurance: first, professional liability, which includes directors and officers (D&O) and errors and omissions (E&O) policies; second, a cyber liability policy; and third, a fidelity bond, which protects employers against the acts of individual employees.
The cyber liability policy had exclusions for wire fraud transfers where the UCC wasn’t followed, and the fidelity bond required a callback prior to the transfer, which wasn’t made in this case, so neither of those policies would cover the loss. Fotopulos says the firm was actually lucky because after the e-mail request, the client demanded the money in writing – and the written document triggered the E&O policy, whose coverage was broad enough to include employee negligence. In this case, it was the more traditional policy – not a cyber policy at all – that actually covered the loss. But Fotopulos says another slightly different E&O policy might have denied coverage: in financial services, coverage for fraudulent wire services is more commonly limited to the buying and selling of securities.
Just because a policy has “cyber” in its name doesn’t mean that it provides the kind of coverage that planners need. For example, Fotopulos has run across many cyber policies that explicitly exclude coverage for third party vendors or independent contractors, which means an advisor has no coverage for any work hired out or done by temporary employees. Nor should an advisor assume that their cloud storage providers are properly insured.
“You’re giving them the client data, so you have the exposure of them losing it,” Fotopulos says.
Like cybercrime itself, the forms of insurance to cover it are constantly changing, and advisories need to keep up to date. “It’s all about the coordination of coverage,” says Fotopulos. “You just don’t know how it’s going to fall,” he says. “So advisors have to understand where they have potentials for loss, what one policy does versus the next – and even what gaps you’re willing to accept.”
Paul Hechinger is a New York-based freelance writer.