Should RIAs buy cybersecurity insurance?
As the head of a cybersecurity management firm, I have built an entire business around protecting RIA technology systems and their data. My livelihood depends on getting cybersecurity right for my own firm and for my clients. A breach of any sort could be catastrophic to my business.
As a result, I have learned a bit about cyberinsurance policies, having reviewed quite a few over the years for myself and for clients. Years ago, the policies that were on the market were not worth having, from our perspective.
But much has changed as technology and the threat of cybersecurity incidents have evolved. The insurance industry’s understanding of cybersecurity has expanded, competition has increased dramatically among insurance firms and rates have tumbled.
As a result, RIAs should consider carrying cybersecurity insurance in the event of a breach.
Today, a well-crafted cybersecurity insurance policy can be prudent for two reasons. For starters, despite the best efforts of ironclad cybersecurity policies and protocols, even the best technology in the world cannot fully withstand human’s bad choices, which are the cause of most cybersecurity breaches. And second, a well-written policy will cover the costs associated with cleaning up the mess at a fraction of what it would cost the firm out of pocket in the event of a breach.
Still, there are widespread differences in the base cyberinsurance policies on the market today, so RIAs should work closely with their legal advisors to sort through the inconsistent terminologies, exclusions and policy limits. These policies can contain plenty of exclusions designed to protect the insurer and limit payout.
RIAs should also include the expertise of the other members of the cybersecurity team — technology management partners, chief information officer (CIO) or chief information security officers (CISO), when evaluating their insurance options. A team approach can help the RIA owner avoid unnecessary surprises and decipher legal and technological jargon when negotiating the policy terms.
- Know what you’re buying. Unfortunately, cyberinsurance has not evolved to the point where policies are clear or industry specific, and insurers do not use the same terminology to represent the same things. Terms differ across carriers and the definitions of these terms vary as well. Since there is no one-size-fits-all solution for RIAs, firm owners need to work with their attorneys and brokers to comparison-shop, and then request modifications based on input from their cybersecurity team.
- The policy should cover a variety of losses stemming from an incident. If a cyberattack is successful, the RIA could open itself up to a host of other costs over time — for example, legal defense, regulatory fines and penalties, credit monitoring, media and public relations — in addition to expenses incurred because of the business interruption. The RIA owner needs to examine the coverage amounts and understand which costs are is or are not covered, and what the limits are for each of these items. How much does the policy cover for fraud? How much for the expenses related to recovery? What does the insurer expect the RIA to cover?
- Understand the criteria for triggering coverage. The cyberinsurance policy should at minimum cover the risks that the RIA is most concerned about and, in the best case, be as broad as possible to cover cyber risks that could be relevant, including potential off-line risks. A narrowly defined scope of coverage protects the insurer, whereas a broad scope provides more coverage to the RIA.
- Don’t forget about insider and third-party risk. RIAs should pay close attention to a policy’s coverage for human error or negligence and make sure the verbiage is worded for appropriate coverage. It’s easy to think about cybercriminals “out there,” but, cyberbreaches can result from insider acts or from vendors and other third parties, whether intentional or not. RIA owners need to know if the cyberinsurance policy has an exception for insiders who act without the knowledge of senior management, and for those who do not follow the firm’s documented cybersecurity policy protocols and procedures. The policy should also protect against losses where others manage or handle data for the firm.
- Keep time on your side. Oftentimes, cybersecurity incidents take place well before a disruption is discovered. Policies with retroactive coverage can provide protection if a breach is discovered as having occurred during a time that predates the policy period. But the once a breach has been discovered, the clock starts ticking for the RIA, which will need to show it acted right away in accordance with the steps outlined in its incidence response plan, as part of the firm’s cybersecurity policy.
- Be thorough. No one likes filling out insurance applications, but no one likes being denied coverage because the insurer decides certain questions were not answered accurately. Take care in filling out the forms – RIAs should work with their legal counsel and with their CIO /CISO when completing the application. Similarly, when reporting a breach and filing a claim, RIAs need to be thorough and work with their cybersecurity team – legal counsel, the CIO, the technology partner – to complete the requisite paperwork in its entirety.
- Take a holistic approach. Similar to Errors and Omissions (E&O) insurance, a strong cybersecurity insurance policy should be part of every RIA’s operating and risk management toolkit. Evaluating all of the firm’s insurance policies together for a complete picture of firm’s coverage and coverage gaps.
Remember, cyberinsurance is not cybersecurity, and it is not a substitute for having a strong cybersecurity policy and protocols. If a breach occurs, RIAs will need to defend themselves to regulators and also to insurers. Just like the SEC, insurers will want to know, “Did you do everything you could have?”
In fact, cyberinsurance policies often contain exclusions related to the RIA’s inadequate cybersecurity standards and controls. Of course, RIAs should work with their attorneys to address and remove these in policy drafts. But firm owners should also protect themselves by putting in place strong, enforceable cybersecurity policy and protocols.
As technology evolves and cybercriminals become increasingly more sophisticated, RIAs will continue to be best served by a strong offense — that is, a defensible and enforceable cybersecurity policy and protocols — together with a strong defense in the form of generous cyber-insurance coverage.