You’re an asset or wealth manager, and you have just taken out cybersecurity insurance. Congratulations! You now have coverage for a range of cybersecurity-related risks, including:
- Litigation costs if you get sued due to a data breach or cyber outage
- Costs associated with client notification if your firm loses Personally Identifiable Information (PII), Protected Health Information (PHI) or Non-Public information (NPI)
- Cyber Forensic costs
- Third-party business interruption losses
- Your own business interruption losses
- Ransom payment
- Social Engineering for losses of “Your” money
Of the items covered above, by far the most prevalent risk in the asset management industry is wire fraud associated with customer funds based on Social Engineering. However, did you notice in the last bullet that the word YOUR was in quotes? That’s on purpose. As an asset manager, “Your” money excludes pooled assets.
So, what does your cyber policy cover when it comes to socially engineered wire fraud? Most likely, it only covers GP funds. Also, almost all cyber policies now sublimit social engineering coverage to a maximum of $250,000. So even if you have a $1m or even a $5m cyber insurance policy, your maximum coverage for wire fraud is only $250,000, and that coverage does not mitigate wire fraud losses associated with customer assets.
So, if your firm is wiring funds in response to a redemption request, distribution, or perhaps a portfolio company acquisition, and the funds being wired are investor funds, you have zero coverage in the event of a wire fraud.
Oh – and what about wire transfer mistakes made by your fund administrator? They aren’t covered either.
So, why doesn’t your shiny new insurance policy cover this? Well, you could argue that insurance companies are smart. Cyber fraud results in billions of dollars of losses each year – over $37b since 2019 according to the FBI. That’s a staggering amount. And insurers don’t like taking on risks that are deemed too high, despite that being their raison d’etre.
And, unfortunately, brokers don’t tend to understand the nuance of this as it relates to pooled assets. As I said earlier, “you” and “your money” are covered, up to a quarter of a million dollars, or whatever the policy states, but pooled assets are not your money – they are your investors’ money.
So, what do you do to mitigate this risk?
You may want to consider procuring a Financial Institution (FI) Bond – otherwise known as a crime policy. An FI bond will generally provide coverage for monetary or security losses due to things like employee theft, certain types of fraud by third parties (forgery, for example), theft of property from the premises, and social engineering (like wire fraud).
The key here is that you should be able to obtain an FI Bond that will cover pooled assets. Unlike the $250,000 sublimit placed on most cybersecurity insurance policies, you should be able to find an FI bond to cover up to $1m for social engineering losses that include pooled assets (double check the fine print, of course). If you have both cybersecurity coverage and an FI bond, these coverages will stack.
October is cybersecurity awareness month, and if you have but one takeaway related to cybersecurity awareness this month, I’d hope it is to ensure you are aware of the overwhelming number of successful wire frauds that are occurring in the industry. As a result, we want you to take appropriate steps to prevent your firm from becoming yet another victim of socially engineered wire fraud.
Of note, BW Cyber is not an insurer or broker, and does not provide insurance advice. Due to the overwhelming number of socially engineered wire fraud activities that BW Cyber investigates each month, we are experts in wire fraud activities in the asset and wealth management industry. Hopefully, our experience and advice will assist you and your firm to either avoid being defrauded by a social engineered wire fraud attack, or at a minimum, adopt appropriate risk mitigation controls in place to recover from a wire fraud loss.