Money managers starting to buy cyber insuranceReprints
Money managers increasingly are buying cyber security insurance to supplement their technology security strategies to both combat data breaches and deal with repercussions if hackers do break in.
About 30% of U.S. institutional money managers had cyber security insurance coverage as of Jan. 1, sources said, most of which were firms with more than $10 billion in assets under management. That compares with only 5% at the start of 2014, they said.
Along with news coverage about cyber attacks across the business spectrum, interest has been piqued by a new round of manager reviews by the U.S. Securities and Exchange Commission under its Regulation Systems Compliance and Integrity rule.
As part of the new round of Regulation SCI reviews, which focus on firms' technology safeguards in the event of a breach or a system failure, the SEC wants to know what, if any, cyber security insurance managers have. Most managers contacted for this story wouldn't discuss whether they have cyber security insurance, citing overall concerns about publicizing their cyber security policies.
“There's no SEC requirement today to have a (cyber security insurance) policy but they've said publicly that managers should be able to disclose their policies and procedures for cyber security and everything that applies to it,” said Josh Hall, global head, investment operational due diligence, Willis Towers Watson P.L.C., New York.
Greg Vernaci, senior vice president and head of cyber, U.S. & Canada, financial lines, at American International Group Inc., New York, said interest in cyber security insurance “has reached a tipping point in the U.S. and has been fueled by the increased attention from the SEC on investment advisers and asset managers.”
Even without the SEC's effort, reports of extensive high-profile data breaches at retail giants such as Target Corp. and The Home Depot Inc. have caused money managers to look at their own cyber security policies and programs — including insurance coverage, said Graig Vicidomino, associate director at Crystal & Co., a New York-based insurance broker for the financial services industry.
“More and more asset managers are buying based on headline risk, or what they've seen in the news about breaches at other firms,” Mr. Vicidomino said. “So managers have really become proactive buyers as opposed to reactive buyers. Also, on the back end, they're insuring their reputational risk, ensuring they have enough coverage to survive an attack and limit the number of clients who'd otherwise be running out the doors after a breach. They're buying insurance strategically.”
AIG's Mr. Vernaci said the insurer's financial services clients “are also realizing how technology-dependent they are in operating their business” and are looking at network interruption coverage for income loss and extra expenses if a security failure interrupts or shuts down their business.
Along with the 30% of managers with cyber security insurance overall, another 25% have either talked with officials at Crystal and other brokerages about buying such coverage or are in the process of obtaining the insurance, sources said.
Such questions also are being asked by investment consultants who review managers for their asset owner clients.
“I think everyone in the asset management business, both internally and externally by their consultants, is asking about it,” said Tim Barron, Chicago-based chief investment officer at Segal Rogerscasey L.L.C. “No question, the knob has been turned up. The SEC questions will just turn it up even higher.”
“It's a big topic of conversation with our (asset owner) clients,” added Mr. Hall. “Our operational due diligence includes an entire section on cyber security. We ask for manager information about their policy, if there's any (network penetration) testing, and what third parties are used and what's their security and insurance coverage ... exactly what's covered by their insurance, and what isn't.”
“It's not a deal breaker” if some managers don't have such insurance, Mr. Hall said — but eventually it will be. While Willis Towers Watson won't turn down uninsured smaller managers for shortlists, Mr. Hall said, “if a larger money manager didn't have cyber insurance, I'd likely recommend that the client not consider them. Most clients don't turn down managers over this. They're not getting how real the threat is. I think they will sooner or later. This eventually will be a deal-breaker.”
Part of the reason money managers — particularly those with less than $10 billion in AUM — don't have cyber security insurance is cost, sources said. A typical $1 million cyber insurance policy with a $10,000 to $20,000 deductible for a money manager with $1 billion to $5 billion in assets costs about $10,000 a year in premiums. Those costs can be onerous when added to firms' required compliance costs to meet regulations under Basel III and the Dodd-Frank Wall Street Reform and Consumer Protection Act.
But costs actually can vary depending on what kind of coverage a manager is buying — first-party or third-party. First-party policies usually involve immediate breach damage and cost coverage, forensic investigations into the causes of the breach, credit monitoring and remediation. Third-party policies generally cover liability claims by customers or regulators, legal costs, settlements and penalties. In some cases, third-party also will include reputational costs, including any public relations or media efforts to limit the damage to a company's reputation.
Costs also can vary given what's become a very competitive business for insurers like The Travelers Cos. Inc., Beazley P.L.C., American International Group Inc., Accel Group and Chubb Group of Insurance Cos.
“The marketplace is so competitive, for an asset manager with a larger website, one insurer may offer $5 million in coverage for $50,000 while another would offer the same coverage for $30,000,” said Mr. Vicidomino of Crystal & Co.
What can be covered within first-party and third-party policies is also expanding, said Paul Kim, co-chief broking officer at Aon Risk Solutions, New York. “Recently, the larger-manager space has focused on adding business interruption coverage in first-party policies to cover the loss of revenue while a manager or their vendor is down because of a cyber attack,” Mr. Kim said. He said most Aon clients have purchased both first-party and third-party coverage and then have added more coverage later.
Alpine Capital Research, a St. Louis-based institutional all-cap value equity manager with $2.5 billion in AUM, recently bought cyber insurance from Travelers to cover both liabilities from a breach and the cost of rectifying the breach, including forensic investigation and other information-technology work, said Brett Rufkahr, chief operating officer.
Question of coverage
“The decision was borne out of our concern about being cognizant of what's going on, not only in our industry but in business in general,” Mr. Rufkahr said. “We determined that we needed this kind of coverage. It's so different from the typical property and casualty coverage you get. We wanted to be on top of this.”
Mr. Rufkahr said cost was not as important to Alpine as was what coverage to obtain.
“I don't want to get into how much coverage we have, but if you want to buy a $1 billion policy, it's going to be costly,” he said. “The question for us was not whether it was too costly but what level (of insurance) works for the company. We can pursue higher limits in the future.” He wouldn't say the cost or coverage limits of Alpine's coverage.
Mr. Hall said it's inevitable that the SEC will require managers to have some kind of cyber security insurance coverage.
“The writing is on the wall,” Mr. Hall said. “The fact that they're asking indicates there could be a requirement in the future.” He doesn't expect the SEC to set specific amounts and kinds of insurance managers will need. “The SEC won't just put a number on insurance. They'll leave it to the managers, and they'll decide what they need.”
Rick Baert writes for Pensions & Investments, a sister publication of Business Insurance.