Managing Your Cyber Security Risk

cyber security clearstructure financial technologyWith the unpredictable nature of both the operations and technology requirements in the financial markets and the ever increasing movement to web-based connectivity, cyber security must be a top priority for all investment managers.

Whether you’re a new launch or have been managing billions of dollars over many decades, cyber security has become a foundational tenant of operational protocol for which all investment managers must now plan. Within the past several months major cyber attacks have been experienced by The Wall Street Journal, NYSE and JP Morgan. While not typically publicized like these incidents, the occurrences within the investment management community are much more frequent. In 2014, 39% of financial organizations reported that they were subject to cybercrime[1]. These incidents can lead to significant financial loss but perhaps more damaging can be the reputational damage among investors which can result from a breach and/or loss of data.

To this end, it is essential for fund managers to prepare proactively, to understand their exposure to financial loss and to ensure proper prevention and disaster recovery plans are in place. Despite thorough preparations which can limit damages, there can still be significant costs related to these attacks and unfortunately many attacks are unavoidable. Many funds are addressing these risks by insuring themselves against cyber attacks and similar incidents.

Jason Lane, one of our sales executives, recently sat down with Jim Lopiccolo of Woodruff-Sawyer & Co. to discuss the heightened interest around professional liability, including cyber security, and the risks facing alternative investment managers.

“After returning from the holidays in January, I received a flurry of calls from my investment manager clients inquiring as to whether they had coverage for cyber attacks. Their investors appeared to be updating their diligence files and were posing the question – likely as a result of the SEC’s guidance on cyber security during 2014,” says Jim Lopiccolo, vice president & alternatives team leader of Woodruff-Sawyer & Co.

Thank you for taking the time to speak with me today. Before we begin with the interview, can you please tell me a little bit about yourself and your experience in the commercial insurance industry?Jim Lopiccolo Woodruff-Sawyer & Co ClearStructure Financial Techonoly

I’ve been in the commercial insurance industry for over 24 years.  Since that time, I’ve specialized in Directors & Officers Liability, Professional Liability, Cyber Liability and unique Transactional Risk products to help facilitate M&A deals.  Throughout my career, I’ve gravitated toward those industry segments with inherent complexity – either due to legal structure, risk profile or both – and this has led me to the alternative investment space, which I enjoy very much.

What types of insurance does your firm offer?

Woodruff-Sawyer & Co. is a 97-year old employee owned risk advisory firm with full service brokerage capabilities in Property/Casualty, Management and Professional Liability (including Cyber Liability) and Employee Benefits.  For the purposes of our discussion today, we’ll focus on Cyber Liability Insurance.

What types of groups in the financial services space do you cover?

The majority of my work is with private investment funds – including Hedge Funds, Private Equity Firms, and Real Estate Equity/Debt Funds.  However, I also work extensively with REITs – both traded and non-traded – and Registered Investment Companies (RICs).

What do alternative investment fund managers need to worry about in the area of cyber security?

An investment manager’s cyber security exposure will depend on a number of factors, including investment strategy, whether their clients are retail or institutional investors, total number of employees, and the extent to which they outsource various operational functions to third parties.  This will drive the type and amount of data to which a hacker has access.

Where do you see their exposure to loss?

When we talk to our clients about professional liability and cyber security, they typically think in terms of social security numbers, credit card numbers, etc. – but cyber exposure is so much broader than that.  For example, at the SALT Hedge Fund Conference in Las Vegas this past May, John Carlin, head of the Justice Department’s National Security Division, warned that cyber extortionists are actively targeting hedge funds to gain access to information, corporate secrets and, of course, their money.

As I mentioned earlier, our client base tends to be Private Fund Managers with a relatively small number of institutional investors.  For them, we generally categorize their cyber risk into 5 main buckets:

  1. Liability to 3rd parties (investors, creditors, employees, etc.) for claims alleging a breach in fiduciary duty for the failure to properly protect data.  Depending on the nature and severity of the breach, this could be significant.
  2. The Manager’s own costs associated with notifying their clients of the breach, forensic expenses, and providing credit monitoring services.  For most managers with institutional clients, these costs won’t represent a significant risk of financial loss.  However, a retail oriented manager could sustain crippling loss in this area if they were to sustain a breach.
  3. Cyber Extortion Threats and the payments required to resolve.  This can involve a wide range of incidents, ranging from a hacker holding a firm hostage to prevent it from executing trades, to stealing proprietary trading algorithms.  The relative risk is highly dependent on the investment strategy.  For a distressed debt shop this doesn’t tend to be a significant threat since they can literally pick up the phone to execute a trade, but that’s not the case for a high frequency trading firm.  For the latter, a cyber extortion threat could be catastrophic.
  4. Manager’s own costs to restore data.  With the increased use of outsourced cloud service providers and the frequency of backup, this also doesn’t tend to be a significant exposure but is important to ensure frequent disaster recovery plans are tested.
  5. Fraudulent Redemption Requests, whereby a 3rd party sends a request – purportedly from an investor or an executive of the manager – to transfer money.  We’ve had a handful of clients fall victim to these schemes, but with the proper internal controls this also shouldn’t be a significant risk.

What type of insurance is available to respond to these exposures?

In the past, because the Insuring Agreements within Directors & Officers Liability/Errors & Omissions Liability (D&O/E&O) policies are broadly written, in the absence of a specific exclusion – we had always felt comfortable that they would respond to the breach of fiduciary duty liability claims. However, as cyber attacks have grown in frequency and severity, most insurance companies are now taking the approach that they want these exposures covered under specific cyber liability policies that are specially underwritten and priced. Some are attaching specific Cyber/Privacy Liability exclusions onto their D&O/E&O policies.

Cyber policies are also designed to cover the Manager’s own first party costs outlined above, including the notification and credit monitoring costs, extortion payments and cost to restore data.

Blanket Fidelity Bonds are now being endorsed to specifically cover Fraudulent Redemption Requests.

How much coverage are your alternative investment fund managers?

Most of our clients are still in the exploratory stage, or are dipping their toe in the water by purchasing relatively small limits of liability – not more than $1 Million to date.  Most view their risk to be fairly low, but want to be able to “check the box” on the investor diligence questionnaires.

Where do you see the cyber security industry in 5 years- is this all a trend? Also, what piece of advice would you leave our investment fund managers with?

The issue of cyber security is here to stay since the world will only continue to get more network dependent – and that includes the financial services industry.  My advice is to simply understand the risk, know your vulnerabilities, and be prepared.  If your systems are hosted on the cloud, ensure your provider is SSAE 16 certified for data security and have real-time live disaster recovery sites. It’s incumbent on the investment manager to adequately protect themselves and partner with reliable technology firms utilizing state-of-the-art data centers.

[1] PWC Financial Services 2014 Global Economic Survey

To find out more about our secure portfolio management solution, Sentry PM, go to ClearStructure.com.

Or to find out more about cyber security coverage for your firm, go to Woodruff-Sawyer.