When cyber incidents affect investment banks, advisors, and broker-dealers, the resulting damages are often significant, given the transactions involved. Few industries are more susceptible to such large damages. Most financial firms are already very aware of the risk and the importance of cyber insurance. One of the most overlooked benefits of maintaining a cyber policy, is the comfort of having a response team at the ready. Cyber incidents are chaotic and can create significant confusion. The ability to immediately offload incident response, investigation, and reporting obligations, can provide huge relief, allowing the firm to focus on other risk mitigation, business continuity and customer relations. But few financial firms understand the actual intricacies of the underlying coverage terms provided by different insurers, which are equally important. Here are some questions to consider when assessing coverage options
 

• Does the cyber policy align with your firm’s incident response plan? When an incident response plan is maintained specifying the vendors which the firm will utilize in the event of an incident, will your policy allow for usage of those vendors? Have they been appropriately added to any of the policy’s “panels” as needed? If not, significant costs could be incurred at the initial phase of an incident response which the insurer may ultimately refuse coverage for.
   
• Is the policy’s regulatory insuring agreement clear? Some policies may limit regulatory coverage solely to incidents in which confidential information is affected, which begs the question, if a social engineering attack or fraudulent funds transfer attack triggers a reporting obligation to any regulators such as FINRA or the SEC, will the costs involved in such investigations be covered (since confidential information wasn’t necessarily involved)? Further complicating matters, some policies contain ambiguous language, where the policy provides coverage for resulting regulatory investigations but may further exclude coverage for violations of the SEC Act, Investment Advisors Act and similar statutes. In such cases, it’s critical to understand how such actions will be treated by the firm’s E&O or D&O insurance policy.
   
• Does the firm’s cyber insurance effectively integrate with its D&O/E&O insurance? Have thorough coverage assessments been performed on any respective policies? Do such policies provide coverage for actions brought by self-regulated agencies such as FINRA? Is coverage in place for cyber-instigated investor litigation?
   
• Is coverage included for preventative shutdowns, where cyber attacks may be suspected but may not yet have been confirmed?
   
• Does the firm’s cyber policy cover any legal costs to determine if such incidents actually require reporting? Consider a social engineering attack that results in a fraudulent fund transfer, or an incident in which email credentials have been compromised. Do such an incidents require reporting? If so, to whom.
   
• How are extortion payments insured? Does the policy require the insured to arrange that payment and agree to provide reimbursement, or does the insurer agree to pay such ransom “on behalf of” the insured. Given that time is often of the essence and it may be difficult for the insured to arrange for such a large payment on their own in such a timely manner, it’s preferable to obtain a policy that agrees to pay any cyber extortion demands on behalf of the insured.
   
• How does the policy define the covered “period of restoration” following an incident? Is coverage provided only until systems are restored? Or does it further extend to when operations are fully restored, which may extend a bit beyond the period of system restoration.
   
• Does the policy respond if an outsourced service provider is affected by a ransomware attack? Most policies will, however it’s critical to double check.
   
• Is the context of computer fraud and e-crime. Is “social engineering” broadly defined? When extending coverage for social engineering, policies may specify how the impersonation must occur. Policies that limit coverage to attacks that solely impersonate a client or vendor for example, could result in coverage being declined should the malicious actor be impersonating a business partner or other party. For example, some policies narrowly define “vendors”, and in some cases go an extra step by explicitly excluding from that definition other “broker dealers, investment advisors or similar financial institutions”. Additionally, policies may specify how the request must be made – policy forms that limit coverage solely to email and electronic requests can result in coverage being declined for instanced where the transfer requests are called in by phone.
   
• Does the e-crime insuring agreement provide coverage for invoice manipulation and other potential computer fraud losses? These are attacks in which clients are tricked into making payments to a malicious actor by posing to be the insured, resulting in an inability to collect funds from the client. Does the policy extend coverage for attacks involving forged instruments and loss of funds being held in an escrow or in the firm’s care/custody? Some policies are still either silent on, or explicitly exclude, such losses.
   
• Does the policy maintain any problematic exclusions such as those pertaining to usage of outdated, or legacy software? Such exclusions can be particularly problematic since it’s often not possible to know if outsourced business providers may be currently utilizing any such software. Luckily they are often easy to bypass.