Insurance premiums are largely priced by the likelihood something bad will happen and the expected cost of remedying the damage. And for cyber insurance, both factors are rising fast.
And since advisory practices are, by their nature, filled with personal and private data about clients and their wealth, financial advisory tech systems can be a tempting target for cyber crooks.
As cyberattacks have become more severe and more frequent, some broker-dealers, such as Advisor Group, have rolled out programs to help advisors get the protection they seek, as reported.
During the first six months of 2022, at least 2.8 billion malware attacks were recorded, an increase of 11% from the previous 12 months, and the first climb in global malware volume in more than three years, according to data from the cybersecurity company SonicWall. In August, the Securities and Exchange Commission charged 18 individuals with hacking into dozens of retail brokerage accounts.
In turn, demand for cyber insurance within the industry has grown. In fact, 33% of financial services companies held coverage for cyber in 2020, up from 26% in 2016, according to a recent Government Accountability Office report.
Josephine Wolff, associate professor of cybersecurity policy at the Fletcher School of Law and Diplomacy at Tufts University, notes that while premiums had stayed relatively stable through 2019, the past few years have seen stark price spikes.
“There was a big spike in 2019 [and] 2020 in the number of ransomware attacks and the number of ransomware claims. And so to compensate for that, we saw these significant increases in premiums pretty much across the board for policyholders of all sizes, working with all different kinds of insurers and brokers,” she said.
And while data breaches at larger enterprises may catch more headlines, ransomware doesn’t only target the big fish.
A 2021 Cyber Claims Study by NetDiligence found no correlation between the cost of an incident and the victim company’s revenue. Indeed, 99% of cyber insurance claims between 2016 and 2020 were made by enterprises with less than $2 billion in annual revenue.
Wolff said there’s a concern that higher spending on cyber insurance premiums will lead companies to tighten the budget for preventative cybersecurity infrastructure, thereby only introducing further risk.
“And so there's a moral hazard fear of maybe people are buying cyber insurance and then not doing anything else for security because that's what they're spending all their money on. Or now they have insurance and so they feel they don't need to.”
Fred Cate, founding director of Indiana University's Center for Applied Cybersecurity Research, said it’s inevitable that the cost of those higher premiums is likely being passed down from policyholder to advisor to client.
“The cost is so great, I would be shocked if it's not passed down," Cate said. "[E]ven businesses with hefty profit margins would find it hard over time to cover the escalating cost of cyber insurance without passing that cost along.”
Insurers are having to limit the scope of what’s covered as well, he said. Cate compared the coverage to underwriting for defamation insurance.
“One thing the two have in common is that defamation insurance at one point was largely being driven by a handful of really big verdicts. Most verdicts, the insurer won. And even when they paid, they paid very small amounts,” he said. “But there were just enough super-huge verdicts that then insurance companies understandably got nervous,” he said.
Insurers are also pushing companies to strengthen their internal controls, in a way fulfilling a role a regulator might otherwise, Cate said.
“So, the carrier says they’ll only write this insurance if you do the following 75 pages of things to improve your security. So increasingly, having good cyber insurance is also a sign you may have better cybersecurity practices, because the insurance carrier is going to insist on it,” he said
Daniel Soo, principal for Deloitte’s risk and financial advisory practice, said demand for cyber insurance has also been driven by the understanding that cyber threats are a business risk companies can’t entirely defend against.
“There's a recognition that there's a need for cyber insurance to really cover things that they're not able to cover on their own. So having a policy that protects them is kind of a risk transfer mechanism.”
In some cases, policyholders can use the fact they have insurance as a marketing message, Soo said.
“And I think even consumers, whether it's businesses or even individuals like you and I, those are things that we don't really take that too lightly anymore.”