Your Cyber Insurance Policy Probably Doesn’t Provide The Cyber Coverage You Need Most

Cybersecurity insurance

By Michael Brice, Founder and President, BW Cyber

Most asset managers (e.g., private equity firms, hedge funds, traditional RIAs, broker dealers, etc.) have cyber insurance coverage – you do, don’t you? 

Well, if you listen to the SEC’s guidance, you probably should have cyber coverage. And even though the process to obtain it can be painstaking – sometimes taking weeks or even months – just like life insurance, it is a good idea. After all, it seems like just about everyone in the industry has either been hacked or will be hacked, so you’ll definitely need it. Right? 

But what if your cyber insurance policy doesn’t cover your most prevalent financial risk? What if your policy doesn’t even cover the risk that can cost your firm and your investors the most??? Unfortunately, that’s most likely the case. No, I’m not joking, and there’s no hook in this article – read on…

Stated bluntly, the insurance industry is in a free fall due to the epidemic of successful cyberattacks; and the insurers are not in business to lose money. So, what recourse do they have? They severely sublimit the areas that represent their highest exposure – which of course, are the areas that represent your highest exposure: wire fraud.

Wire fraud is clearly the most prevalent cyberattack vector today in the asset management industry – even more so than ransomware.  And in my personal experience, wire fraud is also by far the most successful cyberattack threat vector to the asset management industry in general. What’s important to understand here is that your cyber insurance policy most likely has two key components that either severely limit or completely preclude coverage if your firm suffers a wire fraud. 

Initially, almost all cyber insurance policies issued today sublimit wire fraud coverage to allow losses of no more than $250k – regardless of the overall policy coverage. If you’re in private equity, that’s probably just a drop in the bucket if you’re buying or selling a portfolio company.

However, it gets better (rather, it gets worse). Most cyber insurance policies only cover your money. Think about that. Are the funds you tend to wire most often ’your’ money? I suspect not. Those funds are the investors’ money, and therefore, not even covered by your cyber insurance policy.

Yes, this is a big deal. If you procured your cyber insurance policy thinking it would provide some level (e.g., $250k) of financial protection against wire fraud loss, think again. Because the policy may only cover wire transfers associated with the general partnership and not the fund(s).   

So, just to muddy the waters further, your cyber policy sure as heck doesn’t cover you if your fund administrator screws up the wire (and it’s happened already more than once). But that’s an entirely separate discussion for another time.

So, what to do? Well, I suggest you start by checking your coverage with your broker. Be prepared, however, for your broker to potentially not understand the nuances of ‘your money’ vs. your investor’s money, because if they had, they would have already discussed this concern with you before you procured your current policy. 

Next step? If you don’t have a financial industry bond (FI Bond, aka Crime Policy), get one! If properly procured, your FI Bond should cover wire transfers associated with your LPs. Also, be sure your broker includes the fund(s) as covered property for wire fraud losses. Moreover, if your broker is particularly savvy, you may be able to include the liability associated with any errors committed by your fund admin.

In the meantime, make sure you have a well-documented, codified cash management policy that explicitly requires a call back on all wires where wiring information is not previously known. While this process sounds simple, we often see extremely smart people get this process wrong. Spoiler alert: if you receive a call from a known caller ID with a voice you recognize assuring you that the updated wiring instructions are correct, you cannot trust that the caller is who they say they are, even if it’s a video call…