Cyber security. Cyber breach. Cyber insurance. No longer terms of the future, is your firm ready to address each of these areas?
Experts agree that no matter the size of your business, if you handle Personally Identifiable Information (PII), you had better be prepared to protect it in ways you never considered before.
Or as a regulator ominously stated in response to a recent incident: "Firms must adopt written policies to protect their clients' private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs".
The Securities & Exchange Commission case in question was settled with R.T. Jones Capital Equities Management in September when it was found that the firm violated the safeguards rule. The St. Louis firm, with assets under management of $481 million and approximately 8,500 accounts, experienced a loss of data on a third-party server via a suspected hack from 2009 to 2013 that exposed the PII of upwards of 100,000 individuals, many of whom were clients of the firm. The firm was fined $75,000 and had to take other precautionary steps to protect those affected.
This is a much more common problem than many realize. We hear about the high profile cases, but a report that tracks data intrusions indicates that there have already been 577 breaches in the country this year with nearly 156 million records exposed. It's particularly frightening to see the sheer number of businesses and financial services companies that are included on the list. These types of reports are increasingly common since 47 states (plus Washington D.C., Puerto Rico, Guam and the U.S. Virgin Islands) have passed legislation which requires private or government entities to notify individuals of security breaches of information involving PII. Only Alabama, New Mexico and South Dakota have failed to follow suit.
The exposure of records can add up quickly. The financial sector ranks third in the per capita data breach cost at $259 per record lost (behind pharmaceutical and health industries at $298 and $398, respectively).
As a result, the trend of obtaining cyber insurance is on the rise. The Wall Street Journal has reported that advisors are increasing the business-insurance policies they hold and that some are opting for specific coverage that includes "computer fraud and related damages".
According to the article, premiums for this kind of coverage usually depend on a "firm's annual revenue, assets under management or number of advisers, as well as the particulars of its data systems—including how solid its securities procedures are and whether maintenance is outsourced." One insurance broker interviewed for the story says only 50 of his 500-plus adviser-clients have paid for coverage of cyberattacks. "For the financial advisory industry, this is very new," he said.
