As more and more data breaches and ransomware attacks make headlines around the world, the need for digital asset protection has become top of mind for many financial advisors and business owners. In yesterday’s post, I outlined some cyber liability insurance basics, including what may and may not be covered if your RIA–broker/dealer has its own policy. Today, I’ll dig a bit deeper into the topic, including how you can assess your risks to determine what coverage you may need so you can choose the right cyber liability policy.
It’s 6:00 A.M. on a Monday morning. You hit snooze a few times before sitting up and grabbing your smartphone. A notification catches your eye. No, you’re not dreaming. Your business has been hit by a cyberattack.
How did this happen? You’ve put considerable effort into mitigating the risk of cyberthreats—staff education, encryption, and password polices, to name a few. Unfortunately, even with such protections in place, you can still become the victim of a cyberattack.
But hang on! You have cyber liability insurance. There’s no need to worry, right? That depends. Do you know the extent of the damage? Do you know what your policy covers? The answers to those questions will determine how concerned you should be.
What Went Wrong?
First, you’ll need to find out what information was involved in the cyberattack to determine if any confidential data was compromised. You’ll also want to look into how the breach happened. Was it because a scammer gained access to your firm’s data following a phishing attack? Was one of your employees the weak link?
If the incident occurred at your broker/dealer, which has its own cyber liability insurance policy, your B/D would likely cover data forensic expenses, extortion, notification costs, and credit monitoring for the affected individuals. If the breach happened on your end, however, you would be liable for the damages. If your firm is at fault, you will need to prove that your business did everything possible to prevent the breach and help minimize risk, such as taking proactive measures to ensure that proper security policies are in place and up to date.
Whether you are at fault or not, cyber liability insurance can’t mend a broken reputation. It can, however, help neutralize some of the costs associated with a cyberattack and help restore your business operations.
How to Choose the Right Coverage
Given everything we’ve discussed here and in yesterday’s post, you may be leaning toward purchasing a cyber liability policy. But how much coverage should you purchase? Following the three-step process described below can help you arrive at the best decision for your firm.
1) Assess your risk. If your office collects, transmits, stores, views, or interacts with personal information that hackers could use to identify a client, you are at risk for a cyberattack and need to ensure that your business is protected from what could go wrong.
Begin your assessment by getting a handle on your vulnerabilities. Do you, for example, have a hardware firewall and up-to-date antimalware and antivirus protection? Do you encrypt your hard drives and portable media? Do you regularly train your staff to be aware of information security issues? Have you enabled multifactor authentication, where possible, for all of your devices?
Answering no or I’m not sure to any of these questions means your—and your clients’—information may be at risk and you could benefit from cyber liability coverage. But even with the most robust information security programs, there’s always the chance that something might slip through the cracks. Taking a good look at scenarios that could leave your business vulnerable to attack can help you determine which coverage plans may be best for your firm.
For the second part of your assessment, you’ll want to evaluate whether you’ve done as much as possible regarding:
Governance and risk assessments: This includes creating an inventory of all the software and hardware in your office, as well as any device that’s connected to your network; developing policies for bringing devices to work and displaying information on screens or desks; and maintaining a data-retention policy.
Access rights and controls: This includes encryption, firewalls, password policies, and the like.
Data loss prevention: This includes verifying the identity of clients who request asset transfers and regularly updating your software.
Vendor management: This includes doing appropriate due diligence on potential vendors and signing contracts that govern data usage.
Training and awareness: This includes regular training on information security concerns for you and your staff, as well as training and best practices for your clients.
Incident response: This includes having an appropriate backup system in place, along with formal business continuity and incident response plans.
By understanding the controls you already have in place and the areas where you may be at risk, you can look to purchase a cyber liability policy that focuses on the coverage you need.
2) Research carriers and policy options. According to the 2017 Cost of Data Breach Global Study, the average cost of a data breach is $225 per client. So, although you may be reluctant to pay the premiums for yet another insurance policy, that cost is minimal compared with the out-of-pocket expenses your office could incur if it experiences a cyberattack.
Policy cost varies depending on the depth of coverage you select and the carrier you choose. When speaking to a potential insurance carrier, ask about the types of incidents covered and whether any “events” are specifically excluded from coverage. Because each financial services office is different and cyber liability insurance coverage varies from vendor to vendor, be sure to vet multiple policy options. You’ll also want to get the best value and price for what your business needs, so discuss pricing in detail with the carriers and inquire about deductibles.
3) Apply for your top choices. Once you have vetted a few insurance carriers, fill out an application with the companies whose quotes best fit your office’s needs. Ensure that the applications have been completed correctly, answering questions based upon the cybersecurity protocols your office employs. Once you are approved for a few policies, you can choose the right cyber liability policy for your needs based on the deductible, premiums, and coverage with which you are most comfortable.
A Plan for Prevention and Recovery
In today’s increasingly digital world, having a top-notch information security program in place is essential for protecting your business’s assets and your clients’ personal data. But as the threat of a cyberattack or breach grows, it’s best to be prepared not only to prevent an attack, but to make a full recovery from one as well. If you follow the steps outlined above and choose the right cyber liability policy for your business’s needs, you’ll be well equipped to handle any threat that comes your way. Posted by Rachel Sonia