Navigating the Cyber Risk & Liability Landscape
In the last decade, the financial services industry has seen a dramatic increase in the number of high-profile cyber-attacks. Data breaches have risen in frequency, sophistication and risk impact. In light of this trend, emerging and established firms alike must consider measures to mitigate these growing risks. During this week’s session of our Hedge Fund Launch Webinar Series, Nicole Segal and Gamelah Palagonia of Willis Towers Watson spoke with us about how to leverage cyber and privacy liability insurance, as well as offered insight in to the evolving nature of cybercrime.
Read on for a recap or click here to watch the full, 30-minute replay.
“In the past two years, there’s been more talk than action,” Palagonia began. In the past, most hedge funds didn’t feel like they had exposure because they weren’t collecting personally identifiable information (PII) or credit card information. Now, with the threat of ransomware and damage to digital assets looming, hedge funds are increasingly interested in cyber insurance. Our guests acknowledged, however, that new SEC guidelines have also played a large role in shaping how firms consider cyber insurance. “There was a shift at the SEC level from a compliance-based to risk-based approach,” said Palagonia. “You can’t just wait until an event happens to remediate it.”
Segal noted that despite increased regulatory exposure, the general insurance market for hedge funds has reacted quite favorably. In the past two or three years, many insurance companies have entered the marketplace for underwriting for hedge funds on both the property and casualty side. Rates are dropping dramatically, and coverage terms are relatively favorable at this point in time. For example, many of the required coverages for startups come in business packages at oftentimes reasonable costs. Some of this must-have coverage typically includes property & casualty, general liability and worker’s compensation.
If you’re targeting institutional investors, Segal recommends looking at certain coverages right away. These include errors and omissions (E&O), directors & officers (D&O), and in some cases the fidelity bond. “These policies respond directly to business risks,” she said. “They can be the difference between a company staying in business and not being able to move forward.”
Specifically, on the cyber front, Palagonia outlined the differences between first party and third party standard coverage. First party coverage refers to ransomware or anything that poses an immediate need for a business to take action. These costs may also include notification to the affected individual in the event of a breach, forensics, and crisis management expenses. Coverage must also be in place for digital assets that are lost as the result of a breach.
Palagonia predicted that the actions on third party claims will increase in the future. These are, for example, claims against a client alleging privacy violations, network security compromised by a vendor, or media liability for images or information posted online. These types of claims are generally covered in a typical cyber policy. She noted that cyber liability policies are one of the only products that include insurance for fines and penalties in addition to regulatory actions.
Segal recommended considering a variety of options when “shopping” for insurance portfolios. For example, if the insurance company takes a favorable view on what the company does and what their policies and procedures are, it may offer cyber liability policies embedded in E&O or D&O policies. Or, the company may embed some type of cyber social engineering coverage within a fidelity bond. “Be an educated buyer,” she said. E&O and D&O focused cyber insurance companies are happy to tailor your policies based on your specific risks. “Take the time: it makes the difference.”
SEC & Third Party Risk
In commenting on the SEC, our guests also touched upon regulations involving vendor relationships and third party risk. They agreed that responsibility lies at the hedge fund level. “The law goes with the data,” Palagonia began. Data owners are responsible for any breaches no matter how many parties they have contracts with storing or processing their data. She recommends firms take steps to ensure third party contractor protects data in line with regulations. First, properly vet third party service providers. Then, consult an attorney. Finally, make sure your service providers properly encrypt data when it’s in transit, and retain it for only as long as they need it to perform the service that you contracted them to do. Segal echoed this advice, recalling a recent hedge fund contact review she conducted in which 10 out of 10 vendor contracts said they were not responsible for a breach of data. “You want to know what your position is before those situations happen,” she concluded.
Cost of a Cyber Insurance Policy
Both speakers agreed that there are many variables impacting the cost of a cyber insurance policy: among them the cost of the business, the industries served, revenues, number of employees, and retention. For a first-time buyer with good controls and no losses, Palagonia estimates a $10,000 premium minimum cost for a $1mm limit. Segal added that with good marketing and good competition, firms may find an insurance company with a “particular appetite” for your specific risk. A typical E&O/D&O policy for $1mm coverage could cost between $18K and 20K, whereas cyber could be $8-10K per million dollars of coverage. The good news is the market for hedge funds and financial institutions is soft, according to our experts. In the financial services industry, while there have indeed been breaches, losses, and successful phishing schemes, nothing yet has been to the scale of the Target or Anthem breaches, for example. “Most experts would say it’s just a matter of time,” Segal warned. After that, it will be more difficult to buy insurance. “If you are thinking about it, now’s a good time to do it.”
Our guests concluded by emphasizing once more how scary the escalation in cybercrime has become. Palagonia cited a PwC report that states a decline of financial losses in the financial services industry of 12%, yet a 183% increase in theft of personal data and intellectually property. Our speakers highlighted the importance of awareness and education in cyber risk mitigation, particularly how firms should be training their employees to see and stop threats.