Fidelity Mandating Coverage After the Securities and Exchange Commission (SEC) Proposes New Rules

Cyber risk is dynamic, pervasive, and indiscriminate. It transcends company size, geography, and industry vertical. The Financial Services sector has long been a popular target for cybercriminals. There has been a significant increase in the frequency, severity, and level of sophistication of cyber-attacks in the last 2 years; most specifically, ransomware.

Following several high-profile ransomware attacks in 2021, the Biden Administration prioritized and elevated its focus on cybersecurity. On February 9, 2022, the Securities and Exchange Commission (SEC) announced new proposed cybersecurity rules for Registered Investment Advisors (RIA) and investment companies (Proposed RIA Rules[1]) addressing cybersecurity risk management, reports to the SEC, and investor disclosures.

The Proposed RIA Rules are grounded in advisors’ fiduciary obligations to protect their clients’ interests and are promulgated under the Investment Advisers Act of 1940 and the Investment Company Act of 1940. Although there are some existing SEC regulations that touch on cybersecurity, there is no comprehensive set of rules that specifically require firms to adopt and implement broad-based cybersecurity risk management programs.

The Proposed RIA Rules contain four broad categories of cybersecurity requirements for firms that are registered or are required to be registered with the SEC:

  • Risk Assessments & Policies/Procedures: The Proposed RIA Rules would require firms to conduct cybersecurity risk assessments, document such assessments in writing, and develop and implement policies and procedures that are reasonably designed to address identified cybersecurity risks;
  • Reporting: Report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the SEC within 48 hours;
  • Disclosure: Publicly disclose (in brochures and registration statements) cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years; and,
  • Recordkeeping: Implement new recordkeeping requirements to improve the availability of cybersecurity-related information and help facilitate the SEC’s inspection and enforcement capabilities.

A few months prior to the announcement of the Proposed RIA Rules, in October 2021, Schwab Advisor Services (Schwab) mandated that all 13,000 RIAs that custody of client assets with Charles Schwab must have insurance that covers errors and omissions (E&O) and cybersecurity threats.

More recently, in March 2022, Fidelity Institutional (Fidelity), the custodian for over 13,500 prosperity management firms and other institutions, announced a similar mandate. All Fidelity RIAs must have professional liability/errors and omissions (E&O) insurance as well as cyber insurance.

The Schwab and Fidelity mandate around E&O/cyber insurance is largely a response to the rapidly evolving cyber threat environment and the increased scrutiny on cybersecurity risk by federal and state legislators and regulators. Both Schwab and Fidelity allow RIAs to satisfy the cyber-related requirement via Endorsement to an E&O policy or through a standalone cyber insurance policy. Unfortunately, the devil is in the details when it comes to insuring against cyber-related risk. Regardless of the approach – Endorsement or standalone cyber coverage – policy wording varies greatly and can be complicated. Further, it may be necessary to explore coverage under a commercial crime policy in addition to the E&O and/or Cyber in order to fully protect against the risk.

Insuring against this risk to satisfy these insurance mandates is only one piece of a much large puzzle for firms. If the SEC Proposed RIA Rules are approved, many advisers and funds will likely need to implement or significantly improved cybersecurity risk management programs very quickly. Accordingly, firms should be reviewing their insurance portfolios as well as their overall approach to network security and data privacy.

Tips and Takeaways

  • Review your insurance portfolio carefully with an experienced insurance broker or insurance coverage attorney. Insurance coverage for cyber-related risks is still in its infancy in the grand scheme of things. Policy wording is not standardized and can be complicated. Consider the following:
    • E&O Insurance is primarily third-party liability insurance. In order to trigger coverage under the far majority of E&O policies, there must be a “claim” against the firm made by third-party alleging negligence in the performance of professional services. Most E&O policies, in their core form, do not provide coverage for data breaches, cybercrime, social engineering or ransomware attacks. In fact, many E&O policies have very specific exclusionary wording around cyber-related losses. If your firm is able to add cyber coverage on to your E&O policy, it will typically be subject to an additional premium and a low sub-limit of liability.
    • Cyber Insurance is a combination or first and third-party coverage. Comprehensive standalone cyber insurance coverage will reimburse the policyholder for costs incurred in responding to a breach event such as, legal costs, computer forensic costs, public relations, notification/credit monitoring, business interruption, ransom payments, theft of policyholder/insured’s funds, etc. Cyber policies also provide liability coverage in the event a civil action or privacy regulatory action is brought against the firm.
  • Review your cybersecurity risk management program OR start taking the steps necessary to create and implement one. Below are a few key areas to focus on:
    • Conduct a risk assessment of the current key cybersecurity controls – access controls, monitoring and detection tools, credential/password management, etc. – to identify areas that need improvement.
    • Implement Multifactor Authentication across the board – especially on privileged and remote access accounts.
    • Review/Update your incident response plan to incorporate tight-timing (48-hour) deadlines for delivering conclusions on whether incidents are “significant” enough to warrant reporting if the Proposed RIA Rules are accepted.
    • Evaluate/Audit any service providers that receive, maintain, process, or access RIA or

Fund systems and information and the cybersecurity risks presented by such service providers; ensure the service providers are governed by sound third-party cybersecurity management protocols.

[1] The Proposed RIA Rules are different from (but similar to) the SEC proposed rules announced by the SEC on March 9, 2022 relative to Public Companies.