Money managers starting to buy cyberattack insurance

Interest in coverage at "tipping point' as SEC increases reviews of safeguards

Graig Vicidomino
Graig Vicidomino believes more managers are taking a hard look at their cybersecurity.

Money managers increasingly are buying cybersecurity insurance to supplement their technology security strategies to both combat data breaches and deal with repercussions if hackers do break in.

About 30% of U.S. institutional money managers had cybersecurity insurance coverage as of Jan. 1, sources said, most of which were firms with more than $10 billion in assets under management. That compares with only 5% at the start of 2014, they said.

Along with news coverage about cyberattacks across the business spectrum, interest has been piqued by a new round of manager reviews by the Securities and Exchange Commission under its Regulation Systems Compliance and Integrity rule.

As part of the new round of Regulation SCI reviews, which focus on firms' technology safeguards in the event of a breach or a system failure, the SEC wants to know what, if any, cybersecurity insurance managers have. Most managers contacted for this story wouldn't discuss whether they have cybersecurity insurance, citing overall concerns about publicizing their cybersecurity policies.

“There's no SEC requirement today to have a (cybersecurity insurance) policy but they've said publicly that managers should be able to disclose their policies and procedures for cybersecurity and everything that applies to it,” said Josh Hall, global head, investment operational due diligence, Willis Towers Watson PLC, New York.

Greg Vernaci, senior vice president and head of cyber, U.S. & Canada, financial lines, at American International Group Inc., New York, said interest in cybersecurity insurance “has reached a tipping point in the U.S. and has been fueled by the increased attention from the SEC on investment advisers and asset managers.”

Even without the SEC's effort, reports of extensive high-profile data breaches at retail giants such as Target Corp. and The Home Depot have caused money managers to look at their own cybersecurity policies and programs — including insurance coverage, said Graig Vicidomino, associate director at Crystal & Co., a New York-based insurance broker for the financial services industry.

“More and more asset managers are buying based on headline risk, or what they've seen in the news about breaches at other firms,” Mr. Vicidomino said. “So managers have really become proactive buyers as opposed to reactive buyers. Also, on the back end, they're insuring their reputational risk, ensuring they have enough coverage to survive an attack and limit the number of clients who'd otherwise be running out the doors after a breach. They're buying insurance strategically.”

AIG's Mr. Vernaci said the insurer's financial services clients “are also realizing how technology dependent they are in operating their business” and are looking at network interruption coverage for income loss and extra expenses if a security failure interrupts or shuts down their business.

Along with the 30% of managers with cybersecurity insurance overall, another 25% have either talked with officials at Crystal and other brokerages about buying such coverage or are in the process of obtaining the insurance, sources said.

Such questions also are being asked by investment consultants who review managers for their asset owner clients. “I think everyone in the asset management business, both internally and externally by their consultants, is asking about it,” said Tim Barron, Chicago-based chief investment officer at Segal Rogerscasey LLC. “No question, the knob has been turned up. The SEC questions will just turn it up even higher.”

“It's a big topic of conversation with our (asset owner) clients,” added Mr. Hall. “Our operational due diligence includes an entire section on cybersecurity. We ask for manager information about their policy, if there's any (network penetration) testing, and what third parties are used and what's their security and insurance coverage ... exactly what's covered by their insurance, and what isn't.

Size differential

“It's not a deal breaker” if some managers don't have such insurance, Mr. Hall said — but eventually it will be. While Willis Towers Watson won't turn down uninsured smaller managers for shortlists, Mr. Hall said, “if a larger money manager didn't have cyberinsurance, I'd likely recommend that the client not consider them. Most clients don't turn down managers over this. They're not getting how real the threat is. I think they will sooner or later. This eventually will be a deal-breaker.”

Part of the reason money managers — particularly those with less than $10 billion in AUM — don't have cybersecurity insurance is cost, sources said. A typical $1 million cyberinsurance policy with a $10,000 to $20,000 deductible for a money manager with $1 billion to $5 billion in assets costs about $10,000 a year in premiums. Those costs can be onerous when added to firms' required compliance costs to meet regulations under Basel III and the Dodd-Frank Wall Street Reform and Consumer Protection Act.

But costs actually can vary depending on what kind of coverage a manager is buying — first party or third party. First-party policies usually involve immediate breach damage and cost coverage, forensic investigations into the causes of the breach, credit monitoring and remediation. Third party generally covers liability claims by customers or regulators, legal costs, settlements and penalties. In some cases, third party also will include reputational costs, including any public relations or media efforts to limit the damage to a company's reputation.

Costs also can vary given what's become a very competitive business for insurers like The Travelers Cos., Beazley PLC, American International Group Inc., Accel Group and Chubb Group of Insurance Cos.

“The marketplace is so competitive, for an asset manager with a larger website, one insurer may offer $5 million in coverage for $50,000 while another would offer the same coverage for $30,000,” said Mr. Vicidomino of Crystal & Co.

What can be covered within first-party and third-party policies is also expanding, said Paul Kim, co-chief broking officer at Aon Risk Solutions, New York. “Recently, the larger-manager space has focused on adding business interruption coverage in first-party policies to cover the loss of revenue while a manager or their vendor is down because of a cyberattack,” Mr. Kim said. He said most Aon clients have purchased both first-party and third-party coverage and then have added more coverage later.

Alpine Capital Research, a St. Louis-based institutional all-cap value equity manager with $2.5 billion in AUM, recently bought cyberinsurance from Travelers to cover both liabilities from a breach and the cost of rectifying the breach, including forensic investigation and other information-technology work, said Brett Rufkahr, chief operating officer.

Question of coverage

“The decision was borne out of our concern about being cognizant of what's going on, not only in our industry but in business in general,” Mr. Rufkahr said. “We determined that we needed this kind of coverage. It's so different from the typical property and casualty coverage you get. We wanted to be on top of this.”

Mr. Rufkahr said cost was not as important to Alpine as was what coverage to obtain.

“I don't want to get into how much coverage we have, but if you want to buy a $1 billion policy, it's going to be costly,” he said. “The question for us was not whether it was too costly but what level (of insurance) works for the company. We can pursue higher limits in the future.” He wouldn't say the cost or coverage limits of Alpine's coverage.

Mr. Hall said it's inevitable that the SEC will require managers to have some kind of cybersecurity insurance coverage.

“The writing is on the wall,” Mr. Hall said. “The fact that they're asking indicates there could be a requirement in the future.” He doesn't expect the SEC to set specific amounts and kinds of insurance managers will need. “The SEC won't just put a number on insurance. They'll leave it to the managers, and they'll decide what they need.” n

This article originally appeared in the March 21, 2016 print issue as, "More firms buy insurance for cyberattacks".