As the pace of cyberattacks increases, asset managers are taking a hard look at their cyber insurance coverage to make sure that it will cover them should they become a target.
Fidelity Investments was among 13 firms attacked by hackers earlier this October. Though Fidelity suffered no data losses, the incident was prominent enough that firms without cyber insurance are considering adding such coverage, brokers say. Also spurring interest is that the SEC and other regulatory agencies view such policies as a prudent part of cyber risk management. But there are a number of factors that asset managers should heed that are specific to the industry, as providers, policies, prices and needs will vary widely.
"Asset managers should be aware that if cyber liability is being carved out of traditional lines of coverage -- commercial, property -- it won't respond to cyber incidents," says Matthew McCabe, senior vice president, network security and data privacy at Marsh Finpro. "Cyber peril is something never really considered when these forms were first written."
Fund managers have to stop thinking that cyber security is an issue that can be controlled, McCabe adds. "You are going to be breached at some point. This is something out of the control of the IT department, and really anybody within the company, especially when you are talking about a sophisticated cyberattack," McCabe says. "Why would your average fund manager be able to stop an attack that could penetrate the NSA?"
The first step for asset managers is to understand why they would need cyber insurance in the first place, McCabe says. "Cyber insurance is not just about data breaches. Lawsuits can come from security failure and business interruptions.
"There are three things to think about: What data or other important infomation resources to my business is my cyber security protecting and if exposed what are the cosequences? If my systems go down, what are the consequences to revenues? And what is my exposure to other parties, if some flaw in my security hurts my partners and causes me liability?"
It's also important that all of a firm's direct stakeholders in cyber security come together to discuss coverage options, experts add, since networked systems touch virtually every part of an organization.
"The issue far too important to be left to single individual - it can't be left to the risk manager alone," says Jagdev Kenth, director of risk and regulatory strategy in financial institutions at Willis Group, which provides brokerage services for insurance purchasing.
"This needs to be an A1 priority. There needs to be a multilayered approach to this issue. It's important to involve everyone top to bottom, including the CEO and the CFO, to conclude that a insured solution is the right way."
Asset managers then have to assess their existing liability coverage and determine to what extent it covers the firm in a data breach or attack, says Joshua Gold, an attorney with N.Y.-based law firm Anderson Kill, and chair of its Cyber Insurance Recovery Practice Group.
"You've got to take a look at the insurance your firm already has. Some of that coverage will apply to a cyber-related claim -- if you've got directors and officers insurance coverage, it is broad enough to protect management. A cyber claim qualifies as a wrongful act, and that should be covered even though it is not specifically mentioned."
Purchasing cyber insurance is a difficult process, Gold notes, since the very subject matter is tediously technical, and the offerings available are still new.
"It is a very challenging marketplace to figure out," Gold says. "There is no uniformity of cyber insurance products right now, which makes comparision shopping based on price a hard task.
"Also, cyber insurance policies are difficult to understand, as forms are often long and confusing."
Gold recommends firms work with an established insurance broker who has specialized in this area for at least three years, and has tracked the evolution of cyber insurance policies. "A lot of this ccoverage is still open to negotiation," he says.
There are multiple factors that go into determining the coverage that an asset management firm requires, Gold adds, including the type of data the firm keeps. If there is customer information that includes health data, for instance, that could increase premium costs and disclosure risks.
Other considerations include how many mobile devices employees use to store and transport company information, and how a firm stores its data, whether it is onsite or in a data cloud. "It is very important to match up the coverage you buy with the way you manage data," Gold says.
COST AND RISK
In her work advising asset managers on cyber insurance purchases, Shahri Griffin, senior vice preisdent in the financial institutions group at Willis North America, says the question of cost obviously comes up as the firm determines to buy coverage or not.
Depending on the size of the firm, its revenues and the data it possesses, the price per $1 million dollars of liability coverage can range drastically. The coverage plan details and insurer reputation becomes key, she adds. "When it comes to pricing, what are you talking about, a Toyota or a Mercedes?"
"There are a number of asset managers considering this coverage, and there are firms deciding to go without," Griffin adds. "We remind them it helps come up with money if a situation arises and also provides services, such as IT forensics teams. It's almost like buying into a health insurance plan."
- Advisors: What's Your Data Breach Response Plan?
- Cybersecurity Prep: What the SEC's Looking For
- Advisors: How to Approach a Cybersecurity Policy