Cyber & E&O: Why It’s Risky for Advisors to Combine These Policies
By Jon Talamas
Regulators and custodians now require registered investment advisors (RIAs) to buy errors and omissions (E&O) and cyber insurance. Consider your options carefully so you don’t purchase low-quality coverage that might cost you more in the long run.
Registered investment advisors (RIAs) face pressure to mitigate risks in their practices by purchasing a cyber and errors and omissions (E&O) policy for RIAs . The question now is how best to do so to quell mounting regulator and financial-custodian concerns.
Advisors have two options:
- First, they can acquire an E&O/cyber solution. This is a bundled insurance policy for advisors . The last option, though convenient, might result in losing your E&O protection if an insurer cancels the bundled coverage after a cyber claim.
- Second, they can buy standalone cyber liability and data breach coverage and maintain a separate E&O insurance policy.
The growing volume of cybercrimes in the financial sector lends urgency to RIAs protecting themselves and their clients. For instance, ransomware attacks, in which hostile actors hold computers and data hostage, have exploded over the last several years. According to Sophos, a cybersecurity consulting firm, 55% of global financial services firms surveyed experienced a ransomware attack in 2021. That was substantially higher than the 34% targeted in 2020.
Making matters worse, the global pandemic splashed fuel on the ransomware fire. Homeland Security Secretary Alejandro Mayorkas stated, “The rate of ransomware attacks increased 300% in 2020.” According to the New York Department of Financial Services, ransomware losses have largely pummeled the cyber insurance market because ransom demands have skyrocketed. From 2019 to 2020, they increased by 171% and continue to mount relentlessly. As a result, cyber insurance loss ratios grew from an average of roughly 40% during 2015-2019 to just more than 70% in 2020.
Not surprisingly, rising cyber claim costs have led insurers to boost premiums and, in some cases, restrict coverage to preserve profits. For example, according to Business Insurance, total direct written premiums for standalone cyber policies increased from $1.62 billion in 2020 to $3.15 billion in 2021, an increase of 92%. Similarly, packaged cyber premiums reached $1.68 billion in 2021, up from $1.1 billion the prior year. In addition, the average renewal premium was 34.3% in the second quarter of 2022. That was the fifth consecutive quarter where cyber renewal pricing advanced by more than 25%.
With heightened cyber risks, regulators and asset custodians have broadened RIA security requirements. State securities departments have mandated rigorous security practices to keep client assets safe. Meanwhile, large custodians, such as Fidelity and Schwab Advisor Services, have begun requiring advisors to have E&O and cyber coverage to reduce risk exposures and keep customer data safe.
As always, the elephant in the room is the Securities and Exchange Commission (SEC), which regulates large RIA firms. Early in 2022, the SEC issued new proposed RIAs and investment company cybersecurity requirements. Under the Investment Advisers and the Investment Company acts, the Biden Administration dramatically increased agency oversight of RIA cybersecurity.
According to the new rules, SEC-registered RIAs must take the following steps to safeguard client assets and data:
- Conduct cybersecurity risk assessments and document their findings in writing
- Develop and implement safeguards designed to address cybersecurity risks
- Report material cyber incidents to the SEC within 48 hours of occurrence
- Disclose all cybersecurity risks and incidents that happened in the last two years in marketing content and registration documents
- Adopt strict recordkeeping practices regarding assessments, policies and incidents to help facilitate the SEC’s cybersecurity inspection and enforcement
Following the SEC move, Fidelity Institutional, a major asset custodian, mandated that its RIA customers buy at least $1 million in E&O insurance and $250,000 in cyber coverage. The latter should cover losses from social engineering or other malicious attacks that lead to identity theft or wire fraud. Fidelity said RIAs could fulfill the cyber requirement by adding an endorsement to their E&O policies or purchasing a standalone policy.
The Dangers of Buying E&O/Cyber Package Deals
Bundled policies are convenient, but they’re not perfect. Consider these issues:
- Buying a bundled E&O/cyber package may put advisors at risk– They might buy E&O insurance and add a cyber endorsement to satisfy current requirements. But, with cyber claims rising, a claim on their combined policy might lead their insurer to either cancel the insurance package now or refuse to renew it later. This can leave advisors in the lurch, forcing them to find a new E&O carrier and pay a higher premium just because they had a claim.
- Insurers’ jury-rigged E&O/cyber solutions might sacrifice coverage quality– For example, when they add Cyber Liability and Data Breach protection via endorsement, they may only offer a low liability limit or coverage with gaping exclusions. RIAs should be aware of these shortcomings. Purchasing standalone E&O and cyber policies is the best way to secure robust protection that can withstand a large cyber loss.
- Purchasing an E&O/cyber bundle can be risky– Though a better approach than buying a cyber-endorsed E&O policy, it can still result in nonrenewal or cancellation, causing your bundled pricing to change.
- With cyber coverage becoming mandatory, insurers often discount premiums to write the business– Discounted premiums can sometimes mean inferior coverage.
- Finally, some insurers may offer no bundle discounts or provide deceptive pricing that appears like a lower price– However, it’s a standard rate that offers no advantage to RIA firms. Like other insurance comparisons, RIA owners should be sure to comb through the coverages and deductibles carefully to find the best value. That’s a true method of cost comparison. Many times, what seems to be the cheapest route exposes inferior protection after a little more due diligence. The devil’s sometimes in the details.
Bottom line: If you want to buy cyber liability and data breach insurance, do your research. Secure several quotes and carefully read each policy document so you know exactly what you’re buying. Also, select a stable and reputable insurer that will be around when you have a cyber loss. Finally, recognize that the least expensive policy will not always be the best solution. Saving money in the short run can turn into a costly mistake over the long haul.
As you contemplate complying with the new requirements, get educated about buying cyber protection. Learn how the policies work, especially on the difference between first- and third-party coverage and common policy exclusions. And remember the value of excellent customer service— both from your insurer and your broker. Asking your broker questions and building rapport are both crucial aspects of the decision-making process.
In short, your investment-advisory clients work with you because they know and trust you. Shouldn’t you have the same relationship with your insurance broker and carrier?
Are you in the market for RIA E&O insurance? If so, check out the policies available from NAPA Premier. Our coverage for RIAs, investment advisor representatives (IARs), registered representatives and financial planners starts at only $72.08 per month.
Looking to add cyber protection to your insurance program? Convinced that bundled insurance coverage for financial advisors isn’t for you? Then consider our standalone cyber liability and data breach coverage – get your quote today.