The increasing threat from cyberattacks is a growing concern for investment advisers who routinely handle sensitive and confidential information. But they also need to stay on top of evolving regulatory requirements related to cybersecurity.
That’s because aside from the costs incurred from a cyberattack, investment advisers can face stiff fines as well. As just one example, the Securities and Exchange Commission (SEC) last year announced that Morgan Stanley agreed to pay a $1 million fine to settle charges related to its failure to protect consumer information. The fine was the result of what the SEC described as a failure to adopt written policies and procedures designed to protect customer data.
Here are three of the latest trends in the regulatory environment that investment advisers should consider:
1) A growing number of states are creating cybersecurity rules for advisers
In response to the increasing number of cyberattacks – most notably the massive 2015 security breach at a major health care insurer – more states are imposing new requirements regarding handling sensitive data.
New York State is the first state in the nation to impose cyber security regulations (23 NYCRR PART 500) on banks, insurance companies and certain other businesses (including asset managers) in the financial industry. These include the requirement to critically evaluate cybersecurity practices and maintain detailed documentation demonstrating compliance. The rules represent the first comprehensive set of state regulations to address cybersecurity and are viewed as a model for other states.
More recently, Colorado proposed new cybersecurity rules for advisers, including requiring firms to have written policies and procedures for handling data. It would also require firms to assess their cybersecurity risks every year.
2) Government regulators are paying closer attention to cyber insurance
Federal regulators are increasingly taking into account whether investment advisers have cyber insurance.
That comes as the SEC and the Financial Industry Regulatory Authority Inc. (FINRA) have brought enforcement cases against firms regarding cybersecurity failures.
As one example, FINRA fined a dozen firms a total of $14.4 million for electronic record breaches.
When considering cyber coverage, investment advisers should pay close attention to how it handles third-party claims.
One survey by SecurityScorecard noted 63 percent of all data breaches can be attributed to a third-party vendor.
Other things to consider include:
- Whether the insurance covers business expenses such as restoring lost data
- Fixing or replacing lost or damaged hardware or software
- Hiring a public relations team and ransomware, which is a type of malware that prevents or limits users from accessing their computers unless money is paid
Those features are also offered under Argo Pro’s Asset Management PROtectSM form for investment advisers. There is also an extension for claims arising out of acts, errors or omissions of third parties.
3) Ensure your staff gets adequate cybersecurity training
Regulators are also paying attention to how much cybersecurity training is provided to your staff.
The SEC has stressed that employees can be a firm’s first line of defense.
A lot is at stake: Careless employee actions caused about 59 percent of cyberattacks on businesses, according to a recent Kaspersky Lab study.
While cyber exposures are vast and uncertain, what we do know is the SEC holds financial services firms accountable for maintaining the policies and procedures needed to keep their clients’ information safe. Investment advisers need to ensure they are doing everything they can to adopt the policies required under regulation.
About the author
Mary Henderson, senior vice president of financial institutions, has 22 years of experience in the insurance industry. She spent 14 years at Travelers Companies, serving most recently as regional vice president. Henderson also served as assistant vice president at Marsh & McLennan Companies. Henderson graduated from The Catholic University of America with a Bachelor of Arts degree.
About Argo Pro
Argo Pro, a member of Argo Group, is a leading provider of professional lines insurance products and services that can accommodate medium and large organizations on an admitted and non-admitted basis. Through a single operating platform and a robust network of appointed wholesale and retail distribution partners, Argo Pro offers a broad, customizable portfolio of errors and omissions and management liability insurance solutions. Argo Pro maintains offices in Chicago, Jersey City, San Francisco, Scottsdale and Hamilton Township (New Jersey).