Insuring Your Practice Against Emerging Digital Threats

In today's digital landscape, financial advisors are increasingly targeted by cybercriminals due to the sensitive client information they handle. Cybersecurity breaches can lead to substantial financial losses, reputational damage, and legal repercussions. Understanding the risks, associated costs, and the role of cyber insurance is crucial for safeguarding your practice.

The Financial Impact of Cybersecurity Breaches

Cyberattacks impose both direct and indirect costs on financial advisors:

• Direct Costs: These include immediate expenses such as forensic investigations, legal fees, client notification processes, and regulatory fines. The average cost of a data breach reached US$4.88 million in 2024, underscoring the significant financial burden of such incidents. 

• Indirect Costs: Long-term repercussions encompass reputational damage, loss of client trust, and potential client attrition. A tarnished reputation can be challenging to restore and may result in decreased business opportunities.

Case Studies Highlighting the Consequences of Different Types of Cyber Incidents

• Morgan Stanley Smith Barney (MSSB): In a recent settlement, MSSB agreed to pay a $15 million penalty to the Securities and Exchange Commission (SEC) due to financial advisers misappropriating funds from clients' accounts. The SEC found that MSSB lacked adequate policies to prevent unauthorized transactions, leading to multiple unauthorized transfers between 2015 and 2022. This case emphasizes the importance of robust internal controls and monitoring systems to prevent and detect unauthorized activities.

• Robinhood: The trading platform faced a $45 million fine related to a 2021 data breach and record-keeping failures. This incident highlights the financial and reputational risks associated with inadequate cybersecurity measures and the importance of maintaining comprehensive records.

• Desjardins Group: In June 2019, Desjardins Group experienced a data breach affecting 4.3 million individual members and 173,000 businesses. The breach was caused by an internal employee who accessed and shared sensitive personal information over several months. This incident underscores the importance of robust internal controls and monitoring systems to prevent insider threats. 

The Role of Cyber Insurance

Cyber insurance serves as a critical component in a financial advisor's risk management strategy with: 

• Financial Protection: It covers costs related to data breaches, including legal fees, client notification, and system remediation. For example, policies may cover expenses for forensic investigations to determine the breach's cause and remediation efforts to close security gaps.

• Access to Expertise: Insurers often provide access to IT, legal, and public relations professionals to manage and mitigate the impact of a cyber incident, facilitating a quicker return to normal operations with minimal recovery costs and less inconvenience to clients.

Cyber Insurance vs. Professional Liability Insurance

In financial advisory services, safeguarding against potential liabilities is paramount. Two critical insurance policies often come into play: Professional Liability Insurance (also known as Errors and Omissions Insurance) and Cyber Liability Insurance. Understanding their distinct coverages and limitations is essential for comprehensive risk management.

Professional Liability Insurance (E&O)

This insurance protects financial advisors against claims arising from negligence, errors, or omissions in the professional services they provide. For instance, if an advisor offers incorrect investment advice resulting in client losses, E&O insurance would cover legal defense costs and any settlements or judgments. However, it's important to note that E&O policies do not typically cover cyber-related incidents, such as data breaches or cyberattacks, unless explicitly included through endorsements or riders.

Cyber Liability Insurance

In contrast, Cyber Liability Insurance is designed to protect businesses from financial losses and other liabilities resulting from cyber incidents. These incidents can include cyberattacks, data breaches, or unauthorized access to sensitive company information. A cyber policy typically covers various costs, including fees for data breach notification, data recovery, regulatory fines, legal fees, and third-party damages.

Key Differences:

• Nature of Risks Covered: E&O insurance focuses on professional service errors, while cyber insurance addresses digital and data-related risks.

• Regulatory Requirements: With the increasing frequency and severity of cyber incidents, regulatory bodies are emphasizing the need for dedicated cyber coverage to ensure comprehensive protection.

Given the evolving landscape of cyber threats, financial advisors should assess their existing insurance coverages to identify potential gaps. While E&O insurance is essential for traditional professional liabilities, it may not provide adequate protection against cyber risks. Therefore, securing a standalone cyber liability policy is advisable to ensure comprehensive coverage.

I Have Cyber Insurance – Now What?

Cyber insurance is only one part of a program to protect your firm and the data entrusted to it by its clients. Like all areas covered by insurance, it’s better not to have an incident than have to make claim in response to a problem. Implement robust security protocols, conduct regular risk assessments, and invest in security awareness training to protect your firm against having a breach in the first place. Finally, carefully review your policy every year and talk to an expert if you have questions about your coverage. There are many policy options, conditions, and exclusions that might mean you don’t have the level of coverage you think you do, but the right Cyber Insurance policy is a robust risk management strategy to protect your firm against financial and reputational damages associated with cyber incidents.