By Matt Rybaltowski
(Reuters) – A robust cyber security insurance policy can be tricky to procure, even for the most meticulous wealth management firms.
Interest in cyber insurance has surged over the past year following a number of high-profile hackings, including one announced earlier this month involving the U.S. Office of Personnel Management.
In response, many industries and the financial services industry in particular, have stepped up their vigilance against cyber crimes.
Last year, financial institutions raised by nearly 20 percent the total limits of their cyber coverage with Marsh, a global insurance broker and unit of Marsh & McLennan Cos, to an average of $23.5 million.
Premiums for a $10 million policy at financial institutions with under $1 billion in revenue can run between $150,000 to $175,000 per year, according to Marsh.
Insurance coverage would help offset the financial burdens of a cyber attack, covering everything from notifying customers to hiring technology experts.
About 50 insurance carriers offer cyber insurance in the United States, including Ridge Insurance Solutions, a global insurance company launched in October by former Department of Homeland Security (DHS) secretary Tom Ridge.
More than 60 percent of brokerages examined during a Financial Industry Regulatory Authority (FINRA) review of brokerages’ cyber security practices had a standalone cyber security policy, the Wall Street watchdog said in a February report.
Here are some tips on finding the best policy for your firm.
Efforts to limit potential risks could lower premiums. Phishing attacks, or attempts to steal sensitive data, decreased at Raymond James Financial Inc since launching a cyber threat center in 2013, where a team monitors around the clock for problems, said Andy Zolper, Chief Information Security Officer. Firms should also find a carrier that will complete an “honest assessment of their vulnerabilities,” to avoid purchasing a policy “full of holes,” Ridge said.
Insurers may reward efforts, such as the encryption of employees’ mobile devices, with discounts by offering lowering deductibles and premiums, said Robert Parisi, cyber product leader at Marsh.
The encryption process depends on the phone model, but is often user-friendly.
CHECK FOR COVERAGE GAPS
Some firms believe their coverage is complete after adding cyber riders to general business insurance. But there can be gaps, said Adam Cottini, managing director of the Cyber Liability practice for global insurance brokerage Arthur J. Gallagher & Co.
For example, outdated language in insurance documents may not mention coverage for phishing attacks.
A $1 million policy may offer only $250,000 in coverage sublimits for each of four potential claims categories, including legal expenses and hiring a forensic company to analyze damage. But insurers can increase those sublimits without changing the overall limit.
Read the fine print, said Hardeep Walia, chief executive of Motif Investing Inc at a May FINRA conference. A policy may exclude coverage for regulatory expenses, which may surprise firms.
Insurers are cutting back as regulators home in on cyber security violations, Marsh’s Parisi said. That could leave firms on the hook for big bills, such as for legal representation.
(Editing by Suzanne Barlyn and Bernadette Baum)