(The writer is a Reuters contributor. The opinions expressed
are his own.)
By Matt Rybaltowski
June 26 A robust cyber security insurance policy
can be tricky to procure, even for the most meticulous wealth
management firms.
Interest in cyber insurance has surged over the past year
following a number of high-profile hackings, including
one announced earlier this month involving the U.S. Office of
Personnel Management.
In response, many industries and the financial services
industry in particular, have stepped up their vigilance against
cyber crimes.
Last year, financial institutions raised by nearly 20
percent the total limits of their cyber coverage with Marsh, a
global insurance broker and unit of Marsh & McLennan Cos, to an
average of $23.5 million.
Premiums for a $10 million policy at financial institutions
with under $1 billion in revenue can run between $150,000 to
$175,000 per year, according to Marsh.
Insurance coverage would help offset the financial burdens
of a cyber attack, covering everything from notifying customers
to hiring technology experts.
About 50 insurance carriers offer cyber insurance in the
United States, including Ridge Insurance Solutions, a global
insurance company launched in October by former Department of
Homeland Security (DHS) secretary Tom Ridge.
More than 60 percent of brokerages examined during a
Financial Industry Regulatory Authority (FINRA) review of
brokerages' cyber security practices had a standalone cyber
security policy, the Wall Street watchdog said in a February
report.
Here are some tips on finding the best policy for your firm.
CURB RISKS
Efforts to limit potential risks could lower premiums.
Phishing attacks, or attempts to steal sensitive data, decreased
at Raymond James Financial Inc since launching a cyber
threat center in 2013, where a team monitors around the clock
for problems, said Andy Zolper, Chief Information Security
Officer. Firms should also find a carrier that will complete an
"honest assessment of their vulnerabilities," to avoid
purchasing a policy "full of holes," Ridge said.
ENCRYPT DEVICES
Insurers may reward efforts, such as the encryption of
employees' mobile devices, with discounts by offering lowering
deductibles and premiums, said Robert Parisi, cyber product
leader at Marsh.
The encryption process depends on the phone model, but is
often user-friendly.
CHECK FOR COVERAGE GAPS
Some firms believe their coverage is complete after adding
cyber riders to general business insurance. But there can be
gaps, said Adam Cottini, managing director of the Cyber
Liability practice for global insurance brokerage Arthur J.
Gallagher & Co.
For example, outdated language in insurance documents may
not mention coverage for phishing attacks.
NEGOTIATE SUBLIMITS
A $1 million policy may offer only $250,000 in coverage
sublimits for each of four potential claims categories,
including legal expenses and hiring a forensic company to
analyze damage. But insurers can increase those sublimits
without changing the overall limit.
DETAILS
Read the fine print, said Hardeep Walia, chief executive of
Motif Investing Inc at a May FINRA conference. A policy may
exclude coverage for regulatory expenses, which may surprise
firms.
Insurers are cutting back as regulators home in on cyber
security violations, Marsh's Parisi said. That could leave firms
on the hook for big bills, such as for legal representation.
(Editing by Suzanne Barlyn and Bernadette Baum)