Money managers increasingly are buying cybersecurity insurance to supplement their technology security strategies to both combat data breaches and deal with repercussions if hackers do break in.
About 30% of U.S. institutional money managers had cybersecurity insurance coverage as of Jan. 1, sources said, most of which were firms with more than $10 billion in assets under management. That compares with only 5% at the start of 2014, they said.
Along with news coverage about cyberattacks across the business spectrum, interest has been piqued by a new round of manager reviews by the Securities and Exchange Commission under its Regulation Systems Compliance and Integrity rule.
As part of the new round of Regulation SCI reviews, which focus on firms' technology safeguards in the event of a breach or a system failure, the SEC wants to know what, if any, cybersecurity insurance managers have. Most managers contacted for this story wouldn't discuss whether they have cybersecurity insurance, citing overall concerns about publicizing their cybersecurity policies.
“There's no SEC requirement today to have a (cybersecurity insurance) policy but they've said publicly that managers should be able to disclose their policies and procedures for cybersecurity and everything that applies to it,” said Josh Hall, global head, investment operational due diligence, Willis Towers Watson PLC, New York.
Greg Vernaci, senior vice president and head of cyber, U.S. & Canada, financial lines, at American International Group Inc., New York, said interest in cybersecurity insurance “has reached a tipping point in the U.S. and has been fueled by the increased attention from the SEC on investment advisers and asset managers.”
Even without the SEC's effort, reports of extensive high-profile data breaches at retail giants such as Target Corp. and The Home Depot have caused money managers to look at their own cybersecurity policies and programs — including insurance coverage, said Graig Vicidomino, associate director at Crystal & Co., a New York-based insurance broker for the financial services industry.
“More and more asset managers are buying based on headline risk, or what they've seen in the news about breaches at other firms,” Mr. Vicidomino said. “So managers have really become proactive buyers as opposed to reactive buyers. Also, on the back end, they're insuring their reputational risk, ensuring they have enough coverage to survive an attack and limit the number of clients who'd otherwise be running out the doors after a breach. They're buying insurance strategically.”
AIG's Mr. Vernaci said the insurer's financial services clients “are also realizing how technology dependent they are in operating their business” and are looking at network interruption coverage for income loss and extra expenses if a security failure interrupts or shuts down their business.
Along with the 30% of managers with cybersecurity insurance overall, another 25% have either talked with officials at Crystal and other brokerages about buying such coverage or are in the process of obtaining the insurance, sources said.
Such questions also are being asked by investment consultants who review managers for their asset owner clients. “I think everyone in the asset management business, both internally and externally by their consultants, is asking about it,” said Tim Barron, Chicago-based chief investment officer at Segal Rogerscasey LLC. “No question, the knob has been turned up. The SEC questions will just turn it up even Rogerscasey LLC. “No question, the knob has been turned up. The SEC questions will just turn it up even higher.”
“It's a big topic of conversation with our (asset owner) clients,” added Mr. Hall. “Our operational due diligence includes an entire section on cybersecurity. We ask for manager information about their policy, if there's any (network penetration) testing, and what third parties are used and what's their security and insurance coverage ... exactly what's covered by their insurance, and what isn't.