Purchasing a cyberinsurance policy increasingly makes sense to many financial advisory firms. But there still are firms which do not buy dedicated insurance for protection from cyberattacks.
Some may think they are duplicative, too costly, or just unnecessary. Others, however, believe cyber-insurance is now a fixed cost of doing business in the age of cyberattacks.
Still, just how many financial advisors have cyber coverage is difficult to total. One reason is that some financial advisory firms may be getting cyberriders or endorsements to existing insurance — such as on an errors and omissions policy or a business interruption policy — rather than getting a "comprehensive" cyber-insurance policy, Carl Metzger, an attorney at Goodwin Procter, explained.
Financial advisors are also seen sometimes as less interested in cyberinsurance than other financial sector businesses. On top of this, only 29 percent of advisors questioned in a 2016 survey by the Financial Planning Association (FPA) completely agreed they were "fully prepared to manage and mitigate the risks associated with cybersecurity."
"I would say the financial advisory community has had a bit of a lagging interest level as well as appetite in cyberinsurance vs. other financial institutions," says Anton Lavrenko, deputy regional head and financial institutions cyber practice leader, North America, at Allianz Global Corporate & Specialty. "Having said that, we … have been noticing a recent spike in the interest, but we feel like this recent change is more of a 'check the box' type of exercise given FINRA and other regulatory bodies' examinations and inquiries."
From the policy holder's view, cyberinsurance policies are often limited in what they cover, too. Walter Andrews, an attorney at Hunton & Williams, said, "Unfortunately, there still are numerous gaps in cyberinsurance coverage since it is such a new product … and they vary by insurance company."
Some noteworthy gaps Andrews finds are: the lack of coverage for many breach of contract claims, exclusions for many regulatory actions, exclusions for cyber thefts by state-trained bad actors, and exclusions for infrastructure failure and property damage.
Even if they have a policy, financial firms should take precautions on their own, such as on training and planning. Lavrenko describes the policy as "the last line of defense when all else fails."
"You don't deal with this risk simply by just buying an insurance policy," Metzger advises. "You better be doing a lot proactively."