Fidelity Institutional, the custodian of more than 13,500 wealth management firms and other institutions, requires RIAs to obtain professional and cyber liability insurance. The new requirements, shared with RIAs in March, are a direct response to expanding commercial threats and inadequate protections in place at RIAs, Fidelity said.
The new custodian mandates will require many wealth managers to purchase additional insurance coverage, some costing thousands of dollars a year, insurance brokers say.
Fidelity requires all RIAs, turnkey asset management platforms (TAMPs), and third-party administrators to have errors and omissions insurance with coverage of at least $1 million, as well as an institution bond financial or other coverage that protects them against direct losses due to criminal behavior by employees, such as fraud or theft.
Additionally, Fidelity requires RIAs to have an insurance policy covering at least $250,000 in damages and expenses related to social engineering or malicious actions that induce employees or customers to do things like disclosing confidential information or the transfer of funds. RIAs can meet cybersecurity requirements by using an endorsement or endorsement to their errors and omissions (E&O) insurance policy, or through a standalone cyber insurance policy. The $250,000 can count toward the $1 million minimum coverage, Fidelity said Intel RIA.
Fidelity said it notified all of its customers in March and told them they had to meet insurance requirements within a year of being notified. (Fidelity Institutional does not publicly share how many of its 13,500 clients are private wealth management firms.) Several RIAs that hold with Fidelity said Intel RIA they were unaware of the new mandates, although that does not necessarily mean that Fidelity did not inform them.
Most RIAs held by Fidelity already have at least one insurance. “We used to strongly encourage our clients to get this coverage,” said Scott Slater, vice president of practice and advisory management at Fidelity Institutional. Intel RIA.
In a Benchmarking 2021 Of its RIAs, Fidelity found that 97% had errors and omissions insurance and the median amount of coverage was $2 million. In other words, it seems that few RIAs will need to obtain an errors and omissions policy for the first time or to strengthen their coverage. Still, increased market volatility has made RIA operations more complex, leading to increased risks associated with losses due to errors, Slater said.
The same benchmarking study found that only 62% of RIAs had a financial institution bond and 77% of Fidelity RIAs had some form of cyber insurance. “We found that while most companies cover the basics in terms of cybersecurity training, written policies and procedures for responding to breaches, and cyber insurance, a number of companies fall short of these minimums,” Fidelity concluded from the study. Last year.
Slater said Fidelity’s specific cyber warrant is a direct response to the increasing “frequency, complexity and severity of social engineering incidents.” (Similar rules went into effect for RIAs in the custody of Schwab Advisor Services three months ago.)
Most advisors are overconfident in their cybersecurity, according to Cerulli Associates, a Boston-based consulting group specializing in wealth management. More than 80% of advisers “believe their practice is prepared for cybersecurity threats, reflecting pride in sophisticated and targeted threats,” Cerulli said in a March. report.
To meet Fidelity’s $250,000 coverage requirement for social engineering, many RIAs will need to augment an insurance policy they have or buy an independent cyber insurance policy, insurance brokers say .
[Like this article? Subscribe to RIA Intel’s’ thrice-weekly newsletter.]
E&O policies typically don’t cover cyber events, so RIAs will need to add cyber endorsements or endorsements to their policies to meet Fidelity’s requirements, said Nick Weiner, program manager at Varney Agency, which has about 500 insurance companies. wealth management as clients. Intel RIA. In some cases, these increases in E&O policies only cover funds transfer fraud, ransomware protection, credit monitoring for customers affected by cyber events and forensic investigations, not damages and expenses. related to cybercrime, including social engineering. Under these circumstances, an RIA might be forced to purchase a stand-alone cyber insurance policy.
Either way, to fulfill their mandate, RIAs will pay for additional coverage.
The cost of an insurance policy depends on factors specific to each RIA, such as the number of customers it has and its annual turnover. An insurance policy’s coverage, deductible, claim limits, and the carrier that sells it also impact the cost.
For a company managing less than $100 million in assets, the annual premium for $1 million of errors and omissions coverage, with a $10,000 deductible, would cost about $6,900, Weiner said. Intel RIA. Adding employee theft coverage to an E&O policy typically costs 3% of the existing premium. For $250,000 of coverage for social engineering RIAs, it would take about an additional $750, Weiner said.
Most stand-alone cyber insurance policies with $1 million coverage come with $250,000 coverage for cybercrime (including social engineering) which would fulfill Fidelity’s mandate. These policies can cost RIAs anywhere from $1,000 to over $2,000 per year, depending on brokers. RIAs that choose to purchase stand-alone cyber insurance will pay more in insurance premiums, but have significantly more cyber coverage, the brokers said.
The biggest cybersecurity risk for RIAs is ransomware, which immobilizes software or important information until a ransom is paid to the attacker, said Brian Thornton, president of Prowriters, an insurance broker. digital wholesale specializing in E&O and cyber insurance. But social engineering attacks are common cybersecurity allegations, he added.
“You can definitely see a scenario where an investment adviser’s email is hacked, and someone uses it to [message] a customer to say, ‘hey, send funds here,'” Thornton said. “Or the scenario where they don’t even hack you, but [hackers] spoof your email and give the impression that it comes from you, even if [the hackers] never entered your system.
If a client mistakenly transfers funds to someone they think is their advisor, they can still sue their advisor, Thornton said. “Even though you don’t necessarily have client funds in your care, custody and control, you could be sending funds to them on their behalf. You still have some exposure there,” he said.
How RIAs meet Fidelity’s new insurance requirements is up to them, brokers said. But they recommended reaching out to firms like theirs that have worked with wealth managers before. These brokers are more familiar with the needs of RIAs and can ensure that they are properly protected, meet all requirements, and do not purchase more coverage than necessary.
Holly Deaton (@HollyLDeaton) is a writer at RIA Intel and based in New York.