Most registered investment advisors see any potential fraud involving computers as a serious risk to business, but fraud coverage within a cyber liability policy can vary.
Unlike RIAs, insurers don’t think of cyber risks like fraud as one single risk, but as many varied risks. Policy underwriters break out these risks into categories, offering more, less or no coverage depending on a number of factors.
Many RIAs purchase cyber liability to protect against all their possible cyber risks, but not all of those risks may be covered. The wrong policy can leave you overexposed with the wrong or no coverage for key risks.
RIAs dealing with today’s cyber risks need both computer fraud protection and funds transfer fraud protection. Here’s what to know about these two different types of cyber liability coverage and how to make sure your next cyber policy includes both.
About Computer Fraud
Like all fraud, computer fraud involves deception with the intent to illegally or unethically gain something of value at the expense of another. It’s a broad category of computer crime and can include:
- Data breaches
- Network intrusions
- Phishing and spear phishing
- Formjacking, cryptojacking and other malware
- Business email compromise scams
- Theft of data, property or monies
In contrast to other categories of computer crimes, such as vandalism and ransomware hacks where the cybercriminal makes their presence known, computer fraudsters do not announce themselves. This can mean a hack goes unnoticed for longer, potentially doing more damage and costing more for a business to remedy.
Computer fraudsters focus on gaining access to electronic systems and acquiring something of value, such as your:
- Client data
- Customer credit card details
- Passwords and logins
- Business records
- Trade secrets
The ways in which these valuable business assets can be exploited are nearly endless. Specific to RIAs, this could include fraud like in the following scenarios:
Emails go out to financial services offices appearing to be from a large vendor celebrating a business milestone and offering a free gift to all its partners with instructions to click a link and provide their info. But the offer is a phishing scheme and the info collected is sold to spammers. Result: The incident costs several thousand dollars to remedy.
A financial advisor gets a password reset notice from what appears to be his IT department. He clicks on the link in the message and provides his login credentials to a hacker believing he is updating his password. The hacker uses the credentials to initiate a $10,000 purchase of a particular stock. Result: The hack results in a loss of $10,000 to the advisor’s firm.
An RIA office receives several invoices in an email appearing to be from a vendor claiming they are overdue and a service interruption is imminent. Payment is quickly sent, but the invoices turn out to be fraudulent. The email came from a lookalike email address, not the vendor. Result: The RIA office experiences a loss of $15,000 from payment of the fraudulent invoices.
An RIA conducting an internet search for work purposes visits a compromised website that downloads a cryptojacking virus. Once installed on the company network, it uses business resources to mine cryptocurrency. The business suffers an interruption as its computers slow to a crawl. Result: The company loses several days of productivity resulting in a loss of $100,000.
A financial services employee receives what appears to be a proposal attachment, but when he opens the file, a virus is downloaded which scans the network for business records it can transmit to an outside hacker for sale on the “dark web,” the internet’s black market. Result: The firm’s data breach causes a significant loss of more than $1,000,000.
It’s important to note that some cyber insurance policies cover only some of these types of computer fraud, yet RIAs could fall victim to any of them.
In each of the above instances, the computer fraudster used deceit to obtain private information or unauthorized access that could be sold or used to facilitate yet another crime and make a profit. The primary victim in such computer fraud incidents is usually the financial services business itself or its employees.
However, clients of a firm can also become victims of fraud. When this happens, it usually takes the form of funds transfer fraud, which is often seen as distinct from other types of computer fraud.
About Funds Transfer Fraud
Funds transfer fraud involves the fraudulent transfer of monies from one financial institution to another by means of electronic banking websites, email communications and/or phone calls. It’s a more narrowly defined form of computer crime that can include:
- Fraudulent wire transfers
- Fraudulent transfer change requests
- Unauthorized fund disbursements
Funds transfer fraud usually occurs in combination with a related computer fraud event, such as a hack, phishing attack, or business email compromise scam. That’s because cyber thieves often need to use social engineering tricks to gain access to systems and people that can facilitate the theft of the funds. If you are ever a victim of funds transfer fraud you are likely to communicate directly with the thief, either through email or phone calls.
A key difference from other computer fraud events is that funds transfer fraud involves two or more financial institutions being defrauded — the institution that is deceived into facilitating an unauthorized removal of monies and any other institutions that are deceived into facilitating the receipt and transfer of such monies into other accounts.
Often, funds transfer fraud is international. Monies will be stolen from an account in one country and then moved through several accounts into a second or even third country. This aspect of the crime is significant. It makes it more difficult to:
- Stop the theft
- Identify the thieves
- Recover the stolen funds
Like other forms of computer fraud, funds transfer fraud can exploit financial professionals in a number of ways. Scenarios such as these are typical:
A financial professional is contacted by email for assistance handling a monetary settlement of $50,000. The contact asks that the funds be received in escrow and then immediately transferred to a separate account. The financial professional assists with the transfer. Result: The insufficient funds of the original fraudulent transfer lead to a loss of $50,000.
A financial advisor is assisting a client with the purchase of a piece of real estate. An email appearing to be from the client’s email account requests a last-minute change for wiring the $100,000 down payment. The advisor’s call to confirm goes to voicemail and given closing is the next day, he makes the changes. Result: The client experiences a loss of $100,000 and his closing is postponed.
A recordkeeper receives, verifies and processes what appear to be account change requests of contact and banking information for a client with a retirement account. The client then appears to request a distribution of $400,000 from the account. After processing, the funds are disbursed. Result: The funds disbursement is fraudulent and the client experiences a loss of $400,000 in savings.
A financial services executive is overseeing the final stages of an acquisition. He receives an email with wire transfer instructions that appear to be from the CFO of the company being acquired. The advisor confirms with the unfamiliar contact by phone and initiates a $18 million transfer. Result: The wire transfer instructions were fraudulent and the firm is only able to recover part of the monies.
Because of the risks involved, funds transfer fraud is often insured separately from the broader category of computer fraud. The risks of computer fraud generally involve a direct theft of known business assets, requiring the business to be made whole and for security vulnerabilities to be strengthened. But funds transfer fraud is likely to result in complex litigation from multiple parties, regulatory fines and penalties, public relations costs and business opportunity losses, in addition to the original loss. These are risks that generally aren’t taken into account by computer fraud underwriters, hence why they exclude them.
Managing Cyber Liability Risks
As a financial professional, it’s important to understand that not just any cyber liability policy will do when it comes to insuring against your risks. For computer fraud, some policies may exclude coverage for the particular risks you face. For funds transfer fraud, there’s the danger of no coverage or significant sub-limits with some policies, even as exposures for RIAs can exceed $250 per record.
Given the potentially devastating impact of a cyber liability claim, the right coverage is a must. Lockton Affinity offers comprehensive Cyber Liability coverage, which can cover computer fraud and funds transfer fraud.
Being uninsured or underinsured for cyber liability as a financial professional is a huge risk. It is important to take the time to understand the different categories of coverage, such as computer fraud and funds transfer fraud, and make sure you have adequate coverage for both. Check your existing policy for exclusions and sub-limits and be sure your next policy covers you fully.