[BreachExchange] Advisors ‘Lagging’ in Proper Insurance Against Cyberattacks

Fri Nov 3 14:18:26 EDT 2017

http://www.thinkadvisor.com/2017/11/02/advisors-lagging-
in-proper-insurance-against-cyber?slreturn=1509653495

Purchasing a cyberinsurance policy increasingly makes sense to many
financial advisory firms. But there still are firms which do not buy
dedicated insurance for protection from cyberattacks.

Some may think they are duplicative, too costly, or just unnecessary.
Others, however, believe cyber-insurance is now a fixed cost of doing
business in the age of cyberattacks.

Still, just how many financial advisors have cyber coverage is difficult to
total. One reason is that some financial advisory firms may be getting
cyberriders or endorsements to existing insurance -- such as on an errors
and omissions policy or a business interruption policy -- rather than
getting a “comprehensive” cyber-insurance policy, Carl Metzger, an attorney
at Goodwin Procter, explained.

Financial advisors are also seen sometimes as less interested in
cyberinsurance than other financial sector businesses. On top of this, only
29 percent of advisors questioned in a 2016 survey by the Financial
Planning Association (FPA) completely agreed they were “fully prepared to
manage and mitigate the risks associated with cybersecurity.”

“I would say the financial advisory community has had a bit of a lagging
interest level as well as appetite in cyberinsurance vs. other financial
institutions,” says Anton Lavrenko, deputy regional head and financial
institutions cyber practice leader, North America, at Allianz Global
Corporate & Specialty. “Having said that, we … have been noticing a recent
spike in the interest, but we feel like this recent change is more of a
‘check the box’ type of exercise given FINRA and other regulatory bodies’
examinations and inquiries.”

>From the policy holder’s view, cyberinsurance policies are often limited in
what they cover, too. Walter Andrews, an attorney at Hunton & Williams,
said, “Unfortunately, there still are numerous gaps in cyberinsurance
coverage since it is such a new product … and they vary by insurance
company.”

Some noteworthy gaps Andrews finds are: the lack of coverage for many
breach of contract claims, exclusions for many regulatory actions,
exclusions for cyber thefts by state-trained bad actors, and exclusions for
infrastructure failure and property damage.

Even if they have a policy, financial firms should take precautions on
their own, such as on training and planning. Lavrenko describes the policy
as “the last line of defense when all else fails.”

“You don’t deal with this risk simply by just buying an insurance policy,”
Metzger advises. “You better be doing a lot proactively.”

>From his vantage point, Metzger says that five or 10 years ago, it was just
a “small minority” of financial advisory firms who were purchasing
cyberinsurance. “That number has grown over time,” he said.

Walter Andrews, an attorney at Hunton & Williams, attributes the increased
interest in cyberinsurance to the growing number of hacking incidents, and
how the “investment industry” has seen “several high-profile breaches … and
is particularly vulnerable to cybersecurity breaches given the type of
confidential personal and financial information that it controls.”

The trend comes, too, as there is greater awareness of cybersecurity among
financial advisors, Metzger said. In fact, some 81 percent of financial
advisors called cybersecurity a “high priority,” according to the FPA
survey.

Many professionals caution against a one-size fits all cyberinsurance
policy for financial advisors. As a starting point, Andrews said the policy
should cover both “first-party breach response costs -- counsel, forensic
investigators, etc. -- as well as liability coverage if clients bring
claims or suits if their data is accessed.  And, they need to have coverage
for social engineering fraud, either through their cyber policy and/or
through their crime policy, particularly given requests to transfer funds,
etc.”

Also, Lavrenko said financial advisors should buy coverage at least which
addresses “security failures and privacy breaches, [such as] notification,
forensics expenses, breach coaching expenses, etc., as well as cyber
extortion events whose frequency has been ticking up recently….” Also, he
recommends including preventative cyber incident services, vulnerability
scanning and cyber security awareness training.

More fundamentally, he said, customers want a “guarantee of a safety net
and that's what the cyberinsurance policy provides to the customers of its
policyholders.”

Another concern is whether clients of a financial firm be allowed to find
out about the insurance. Andrews says they should. “I think that clients
want to be reassured that their advisors are sufficiently insured so that
they will remain in business if they are hacked,” he said. “They don’t want
their advisors to risk going bankrupt if they don’t have sufficient
insurance, as that may impact the clients’ investment portfolio.”

“Financial advisory firms care very much about their reputation in the
marketplace,” Metzger added. “They want to make customers feel like they
were prepared.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171103/107fb0c4/attachment.html>