The financial sector is certainly no newbie when it comes to cyber risk and the threat of so-called social engineering fraud, but asset managers in particular have been warned that they are potentially easy prey for hackers and criminals.
While technical security is becoming a rising priority for the asset management industry, the sector is not prepared for the changing landscape of risk, says Ben Cubitt, financial institutions underwriter at International General Insurance (IGI).
Until now, asset managers have been relatively shielded from cyber and engineered threats, as they tend to hold less personal information compared to global commercial enterprises. However, they do hold highly confidential and sensitive forms of financial data on behalf of clients, and many will execute hundreds of thousands of trades every day – making them extremely attractive targets, explained Cubitt.
Combine that with today’s laser-focus on the protection of data, and security is becoming ever more crucial for these organisations.
“The General Data Protection Regulation (GDPR) is raising awareness for everyone. Asset managers will be asked by both their clients and prospective investors what they are doing to protect data and funds. These investors will be asking the same questions that the regulators pose,” Cubitt told Insurance Business at BIBA’s 2018 annual conference.
However, insurer appetite to cover these perils can vary, and many policy wordings, including those currently in force for fund managers, do not provide the technical elements of coverage as standard, according to the underwriter.
“It can be a time-consuming process for brokers and clients to find suitable cover,” Cubitt said. “For example, standard crime cover for asset management firms and their funds are likely to cover the direct financial loss sustained from a computer virus, but not typically the costs associated with handling such a breach.
“Similarly, payment transfers that arise out of a fraudulent instruction, be it via an intercepted email or over the telephone by a fraudster, may well fail when tested against a policy’s finer detail. These could exclude losses when such transfers are executed by an authorised individual.”
The asset managers at greatest risk are those in the SME space, who IGI says may not necessarily benefit from the cost of purchasing a stand-alone cyber policy. As a result, the insurer says it has “narrowed the risk down” to meet the requirements of SME managers through its new ‘Focused Protection’ Investment Management Insurance product.
As a whole, the insurance industry still has work to do when it comes to educating clients, particularly smaller businesses, about the perils they are facing, Cubitt said.
“Without the awareness, a client being told that they need to buy something to protect them from a risk that they’ve never heard of a like-minded firm being exposed to, might feel that they are being upsold to. But these instances do happen on a day-to-day basis, and they are not going away,” he said.
“The industry has a big role to play in terms of education. We see it first-hand and experience the losses and the exposures. This ‘new’ breed of criminals moves quickly, and the insurance industry needs to respond in a targeted and efficient way to provide peace of mind to all clients.”
Related stories:
Stark warning issued on cyber threat
Equifax: What went wrong?