Sign up for free newsletter


Louis D'Agostino, Iron Cove Partners

Cyber insurance premiums ‘still quite soft’ says Iron Cove Partners’ D’Agostino

Now is probably the best time to be thinking about cybersecurity insurance given that premiums in the marketplace remain soft. Hedge fund managers who grasp the nettle and get their protection policies in place ahead of the herd could find themselves at a financial advantage. 

The sad fact is the scale and sophistication of cyber attacks are only going to grow. And as more attacks happen, the number of claims will increase – thus pushing premiums higher. 

"We're in a soft insurance market, but that could well change in 2018 due to a variety of factors," says Louis D'Agostino, Principal, Financial Services, Iron Cove Partners. 

Iron Cove specialises in meeting the unique insurance demands across all areas of the financial services industry including investment advisers; hedge funds; private equity funds; mutual funds; broker-dealers, and investment banks.

D'Agostino says that cyber coverage is still only anywhere from USD2,500 to USD5,500 per million dollars of coverage. "There are syndicates in London such as Beazley and Pioneer as well as numerous US Carriers that have some cost-effective policies with extensive coverage. We think it's a good investment while premiums are cheap."

Before 2014, says D’Agostino, people while inquisitive, were a bit hesitant to purchase cyber insurance. More recently, as cyber attacks have increased in frequency, C-Suite executives have not only been more proactive from a security posture perspective, there has also been a significant uptick in procuring cyber insurance protection. 

"However, despite the uptick, there are still some hedge fund managers that think, ‘We're a small firm, it's probably not going to affect us'," says D'Agostino.

Investment advisers have large amounts of personally identifiable information (PII) on investors, they hold intellectual property in the form of trade secrets and, in the case of private equity, sensitive documentation on M&A deals and so on. All of this information is at risk, should the manager or one of his service providers suffer a cyber breach.

Given the risks involved, and indeed the costs involved, having cyber insurance should be viewed as an integral part of a robust cybersecurity plan. Yet in a recent blog written by D'Agostino*, he points out that only 35 percent of advisors carry such coverage. 

According to the Ponemon Institute's Cost of Cyber Crime Study, the median annualised cost of a 2016 cyber-crime was USD6.7 billion, up from USD5.5 billion only a year earlier. That number will continue to head north, not south. 

So what should one look for in a cyber policy? 

The most important types of 3rd Party Liability Coverage are Privacy, Network Security & Media Liability:

Privacy Breach: Liability arising out of the disclosure of personally identifiable information and, in some cases, non-public private and confidential information.

Network Security Incident: Liability arising out of unauthorised access, a denial of service attack, or the downloading of malicious code.

Media Liability: Liability which arises from defamation, slander, libel, and copyright infringement.

In terms of 1st Party Liability Coverage, the following areas would cover a hedge fund manager for any costs incurred as a direct consequence of dealing with a cyber attack:

  • Business Income and Extra Expense coverage
  • Public Relations and Crisis Management costs
  • Notification Expenses
  • Forensic costs to investigate a cyber event
  • Software and Electronic Data Restoration
  • E-Extortion Expenses
  • Cyber Crime and Social Engineering

Social engineering protection

There are two things to consider when dealing with a social engineering incident: Am I (as the fund management company) covered for the costs of responding and dealing with the situation? And am I covered (with respect to the fund) if an attack has been successful and there is a loss of customer capital? In which case, how does the fund get reimbursed? 

Coverage in the US marketplace has been quite limited in terms of protecting against cyber fraud but things are starting to improve. 

"We've recently developed a proprietary product for hedge funds that now includes that coverage," confirms D'Agostino. "On your Directors and Officers liability, if you wanted to get social engineering crime included you could. Up until a couple of months ago you could only purchase it in small amounts and it really didn't reassure people; up to USD250,000."

There are many examples of wire fraud, where people are targeted, and large sums of money are embezzled, so it is something that certainly scares people, especially the C-Suite. If there were no way to deal with the risks associated with a social engineering attack, that would be problematic. 

"Now, in select markets, you can get up to the full limit, whether it's on a primary basis or you get excess over other policies that exist. The capacity is there," adds D'Agostino.

In most cases, this will be a separate policy in and of itself that dovetails with an investment advisor's fidelity bond, which covers companies for fraudulent acts carried out by employees. When Iron Cove built its proprietary product, it included a separate module for cybercrime and social engineering that can become a part of the D&O policy. "Your fidelity bond, cybercrime, and your D&O can all be included under one contract," confirms D'Agostino.

Check your vendors

One other important consideration for investment advisors is to ensure that the insurance carrier approves their incident response team and all associated vendors. 

Insurance contract terms and conditions will always include a series of ‘defined terms'. Some Cyber policies may specify that the funds' 3rd party vendors be an "approved provider" with such term being in bold letters stipulating that an insured must have their vendors approved before incurring costs in the event of a cyber incident.

The last thing any management team wants is to have proper policies and procedures in place, take all the right steps containing a breach, inform the regulator and investors, only to then find out that they cannot recover the costs because one or more of the vendors are not on an approved list.

Better to be proactive and make sure all of the fund's service providers are approved before waiting for a cyber incident; by which time it'll be too late to take retrospective action.

"Understanding these nuances to the policy language put our clients in a position to maximize their insurance recovery. Ultimately that is our main priority," concludes D'Agostino.  



other gfm publications