By Kirsten Bay, CEO and Co-Founder, Cysurance
Registered Investment Advisors (RIAs) are facing a brave new world. As online commerce, the Internet of Things, automation, cloud computing, mobile devices and social media open new doors for sales, distribution, operations, and customer service, they also create new opportunities for criminals. Technology has become a gift and a curse, and the exposures it creates require not only modern cybersecurity and cyber governance, but tailored, comprehensive cyber insurance as well.
From 2016 through 2018, cyber incidents increased by 81 percent according to the Chubb Cyber Index. And if you’re thinking that number is driven by losses at large, Fortune 500 companies, think again. In the same period, companies with less than $10M in revenue saw cyber incidents increase by 254 percent. And as gateways to millions of dollars of client assets, RIAs – almost two-thirds (64 percent) of which report fewer than 50 employees – offer a particularly appealing target (source: Financial Advisor 7/8/19). In 2016, 74 percent of financial advisors acknowledged experiencing cyberattacks, and a recent report estimates digital threats targeting the financial space increased 56 percent year over year in 2019 (sources: Integria 8/30/16 and Zerofox 8/14/19).
But why are more than half of all cyberattacks – 62 percent in 2016 – directed at small and medium businesses (SMBs)(source: Small Business Trends 6/3/16)? After all their market share, data, and revenue are dwarfed by larger corporations. But so are their IT budgets and cybersecurity programs, meaning most cannot secure truly comprehensive protection against cyber risks. SMBs often run outdated or unpatched software, lack proper password hygiene, transmit unencrypted data, or fail to secure endpoint devices – making them ideal targets for attackers. And while a single company may not provide a big payday, the SMB industry in aggregate offers substantial payout without front-page headlines. With the financial damages of cyber crime projected to reach $6 trillion annually by 2021 – more than double the same figure from 2015 (source: Chubb Cyber Security Business Report 1/23/18) – small and medium business owners cannot afford to assume they are not a target. As we say in the industry, it’s not a matter of if you will be attacked, but when.
A ranking of the top risk concerns of respondents to the Marsh / Microsoft 2019 Global Cyber Risk Perception Survey
And while recent regulatory guidance from FINRA and the SEC has focused on technical safeguards like access management, data loss prevention, dual-factor authentication and penetration testing as well as procedural best practices and training, a third component is often being overlooked by regulators and RIAs– cyber insurance.
Even the best technology cannot prevent all cyberattacks. Think of your network like a car – even with the most modern safety technologies, a distracted driver or reckless third party can still cause serious damage; you still buy auto insurance despite the rearview camera and lane departure warnings. And for RIAs, a cyberattack can be devastating. According to the 2019 Cost of a Data Breach Report by the Ponemon Institute, the financial services industry experienced the second highest average total cost for a breach at $5.86 million, compared to an average of $3.92 million.
And while many RIAs focus on potential liability after a loss, the resulting business interruption and incident response costs can far outweigh ransomware payments or third party lawsuits. According to The Ponemon Institute, healthcare, financial services and pharmaceuticals have the most trouble retaining customers after a breach, which may contribute to these highly regulated industries facing a greater percentage of overall costs in the second and third year after a breach – 32 percent and 16 percent respectively, compared to 22 percent and 11 percent overall – as they struggle to replace lost revenue.
Yet many RIAs leave themselves exposed to these long-tail costs by assuming a breach can be resolved by simply paying a ransom, fine or legal fees. But paying a ransomware demand often does not recover the lost files – according to a study from cybersecurity company CyberEdge, 50.6 percent of those who pay do not recover their files. While paying ransoms may make sense in some cases, and replacing compromised equipment and responding to lawsuits is important, hiring a forensics team to identify and patch the breach, recover or reconstruct lost data, identify attackers and prevent similar incidents from occurring in the future can cost much more, as can public relations firms to repair reputation, call centers to manage regulatory notification requirements, and credit monitoring services for affected customers. According to the Chubb Cyber Index, these make up 57.4 percent of total cyber claims costs since 2009.
But as cyber threats have evolved, insurers’ understanding of them has grown, increasing competition and lowering rates. Today, premiums for a robust policy can be as low as $55 a month. Such protection can provide a competitive advantage by reimbursing financial losses, satisfying customers’ and vendors’ insurance mandates and addressing compliance and regulatory requirements.
A strong policy might have helped Voya Financial when, in 2018, the Securities and Exchange Commission fined it $1 million and required it to retain an independent consultant to evaluate its cybersecurity tools and procedures following a cyberattack that compromised thousands of customers’ personal information. In its first enforcement of the Identity Theft Red Flags Rule, the SEC said criminals impersonating Voya contractors called the company requesting password resets, then used the new passwords to access the confidential information of 5,600 customers. The SEC claimed this was made possible by failures to update weak cybersecurity procedures, some of which were exposed in prior fraudulent activity, and that Voya failed to apply the procedures to independent contractors.
While the fine is significant, it is at least a known cost. The eventual total cost of the consultant and any recommended system upgrades or procedural changes are harder to quantify. If Voya’s technology and security was seriously outdated, or it lacked things like a cyber incident response plan or employee training, these costs can add up quickly. And it’s impossible to know what the event might cost Voya in lost business and brand reputation. Cyber insurance would likely have paid the fine and any business interruption losses from network downtime needed to update systems. A good policy would also pay for a Public Relations firm to repair Voya’s reputation and regain the public’s trust, and demonstrate to future customers that Voya takes cybersecurity seriously and makes every effort to protect – and reimburse, if necessary – its customers.
Hackers are also growing more detail-oriented in their efforts. When the owner of a hotel development company in Seattle had his email hacked, the perpetrator gained access to a history of correspondence with the firm’s bookkeeper and all the details needed to commit wire fraud, costing the business over $1 million. The attacker mimicked the owner’s style and language in emailing wire requests to the accountant, instilling a false sense of security, and because the owner’s calendar was also compromised, the requests always came when he was in meetings. Therefore, the attacker could respond to questions, complete the transfer and delete related messages before the owner checked his email again.
This should demonstrate to RIAs the importance of Dual Authorization for wire transfers, which prevents a single user from initiating and authorizing such transfer. In this case, the bookkeeper’s fund transfer request could not have been completed without the owner signing off in a separate, secure platform. While it is recommended that transactions be confirmed by a direct phone call between parties, this added security can help prevent fraud.
These are just some of the risks RIAs face without a trusted insurance partner, but through this lens it is easy to see how 60 percent of SMBs suffering a cyber breach go out of business within 6 months (source: Small Business Trends 8/22/19). And while many businessowners focus on upgrading technology and governance to address cyber exposures, only by adding a robust cyber insurance program can they be truly protected.
Cysurance is the next generation cyber solution, protecting small businesses and their partners through affordable cyber insurance. Built on a proprietary platform, our program comes with a complete set of features to safeguard business continuity and insure against loss, protecting both revenue and recovery. For more information, visit www.cysurance.com, follow us on LinkedIn, Facebook, Instagram and Twitter, or email us at firstname.lastname@example.org.
Chubb is the marketing name used to refer to subsidiaries of Chubb Limited providing insurance and related services. For a list of these subsidiaries, please visit our website at www.chubb.com. Insurance provided by ACE American Insurance Company and its U.S. based Chubb underwriting company affiliates. All products may not be available in all states. This communication contains product summaries only. Coverage is subject to the language of the policies as actually issued.