In an epic 2013 data breach at a major bank, officials estimated information was compromised on 76 million households and seven million small businesses. Public reports in the aftermath of the incident noted investigators traced the breach to the network of a third party vendor – the bank’s security team reportedly neglected to upgrade a server at the small company that runs the bank’s charitable race website. It’s a seemingly small oversight that created a virtual unlocked door through which hackers gained access to the bank’s vast network.
That breach prompted state and federal regulators to push financial service providers, including banks, to bolster their own security as well as that of outside vendors. Banks have, and continue to, invest heavily in information and network security as they have been a significant target for criminal activity, including cyber attacks. On the other hand, asset managers, widely recognized as an industry ripe for cyber attacks, are still in the process of assessing their cyber exposure and increasing their investment in information security programs. With midsize funds running from $1 billion to $5 billion, and the largest funds in the multi-trillion dollar range, it is imperative that asset management firms identify their cyber exposure and begin appropriately managing those risks, according to Kenneth Li, the financial services product director at The Hartford.
Cyber attacks pose risks that implicate every area of its businesses, including theft of intellectual property, violation of client privacy, business interruption, and class action lawsuits. In addition, regulators have identified cyber attacks as a significant threat to the financial services sector and have increased its examinations and enforcement activity. For instance, the Office of the Compliance Inspections and Examinations (OCIE) and the Securities Exchange Commission (SEC) have embarked on a mission to assess cyber security preparedness and threats in the securities industry, launching examinations last year of more than 50 investment advisors and broker/dealers. Where firms have fallen short of adopting appropriate precautions, regulators have assessed significant fines against financial service providers, including asset managers.
Identifying cyber-related exposures and applying the right privacy and information security programs is a monumental task, especially against a backdrop of an ever changing threat landscape and continually evolving adversaries, according Thomas Kang, the cyber product manager for The Hartford. While industry standards and cyber security frameworks, including those outlined by the National Institute of Standards and Technology can help, asset managers should look to cyber insurance products to transfer some of the risk.
Kang outlines some cyber insurance solutions available to asset managers:
Cyber Security Services
While it is critically important to have internal privacy and information security professionals, leveraging outside service providers to assist in privacy and information security can help asset managers quickly identify vulnerabilities and close any security or compliance gaps in a cost effective manner. However, it can be difficult for even experienced information security professionals to identify cyber security services that matter and service providers with the requisite experience and skills to help mitigate cyber risks. Experienced insurance carriers have identified gaps and vulnerabilities that have led to actual paid losses and can recommend services and service providers that can improve an organization’s privacy and security posture.
Incident Response Expenses
Currently, 47 states have data privacy laws that require notification of a data breach. Often, there are significant costs associated with investigating an event, assessing any requirements, engaging third parties to notify clients and consumers, and communicating proactively with appropriate government agencies. According to the 2014 NetDiligence Cyber Claims Study, the average cost for crisis services including notification costs, was $366,484. Moreover, a failure to respond properly to a data breach can lead to consumer class actions and regulatory proceedings, which can quickly multiply losses. Most importantly, data breaches can damage a company’s brand and diminish the trust it has worked to build with its clients. Insurance products can not only provide coverage for these expenses but experienced carriers can be a valuable partner in ensuring that the breaches are handled the right way to protect the company’s brand and mitigate third party liability.
Third Party Lawsuits
Even when the breach response is handled correctly, consumers can seek redress of any damages they may have suffered. In addition, regulators often initiate investigations following a breach to determine if the firm had properly established cyber security protocols. This can be especially acute for asset managers, who are entrusted with the safeguarding extremely sensitive client records. However, errors and omissions insurance policies for asset managers are often unclear whether claims, including regulatory investigations, associated with data breaches are covered as failure to properly render professional services.
According to Kang, it is critical that risk manager secure cyber insurance policies that expressly address this exposure.
The question is no longer “if”, but “when” a data breach will impact a company’s bottom line and business performance. “This may represent a significant shift for asset managers accustomed to thinking about liability in terms of their role as fiduciaries. But having best practice-based policies and procedures is the best hedge against a catastrophic network system breach and its devastating after-effects,” says Li. Partnering with the right insurance company can help asset managers proactively improve their information security posture and reduce losses when something goes wrong.
By Kenneth Li, The Hartford and Thomas Kang, The Hartford Source: TheHartford.com)
 On May 22, 2015, FINRA found that Sterne Agee violated SEC Reg S-P based on the firm’s failure to encrypt an employee’s laptop, which was inadvertently left in a restroom and lost. FINRA fined the firm $225,000 for failing to establish a system that protected customer data using “appropriate technological precautions.”
 The Hartford disclaims all liability with respect to any such services and service providers. The services provided are not substitutes for the services of your legal counsel.