The following article originally appeared in FundFire and was written by Lydia Tomkiw.
In this exclusive interview with FundFire, John Araneo, Managing Director, Align Cybersecurity, and General Counsel of Align, and Vinod Paul, COO of Align, discuss the most significant cyber threats hedge funds are facing and how the environment has changed this year. Additionally, the subject matter experts address the driving forces in the uptick of cyber insurance.
Hedge funds across the market nervously watching cyber attacks and breaches from WannaCry to the Equifax hack are asking themselves: do we need cyber insurance?
As managers debate the pros and cons, as well as the cost, a new policy is taking aim specifically at hedge funds and the client asset redemptions they could suffer.
Hedge funds have specific risk concerns and needs related to cyber protection, including the client information they might hold in-house, as well as proprietary investment data such as short positions, says Ron Borys, managing director at Crystal Financial Institutions, a division of Alliant Insurance Services.
“We felt those unique characteristics of a hedge fund created a unique area of risk that wasn’t necessarily being addressed in a traditional cyber policy,” he says.
Crystal Financial, working along with BlueVoyant, Bohrer PLLC and Everest Insurance, recently introduced a specific policy aimed at hedge funds, which includes an extension of coverage for unplanned redemptions due to a cyber breach and allows fund managers to recoup lost management fees from those assets. The policy is part of a larger package of services for hedge funds, including preparedness evaluation and crisis response guidance.
One of the biggest concerns hedge funds have from cyber breaches is a run on the fund by investors after an incident, Borys says. “That’s something managers may not be prepared for and quite frankly why they might look at insurance as a backstop to those risks,” he says.
The exact number of hedge funds with cyber liability insurance is unclear, but industry experts estimate it at around 20% of the market. The number of U.S. insurers underwriting cyber insurance coverage is growing, hitting 170 insurers in 2017 from 119 in 2015, according to a July report from Aon based on statutory filing data from the National Association of Insurance Commissioners. The study found the total value of U.S. cyber premiums grew by 37%, reaching $1.84 billion in 2017, with significant growth coming from packaged business.
“I think it’s still early days. I know that it has been on the radar of some… but actually taking the step and buying first- or third-party [cyber breach] insurance, at least in my experience, is still somewhat new,” says John Hunt, a partner at Sullivan & Worcester.
It’s important to break down coverage, he adds, with first-party policies protecting the hedge fund manager for any losses they might directly suffer from a breach, such as loss of an investment algorithm, and third-party coverage offering protection for losses stemming from loss of client data.
Regulatory pressures and an increased number of attacks – especially sophisticated emails that appear to originate from a CEO or management team – are driving hedge funds to look at coverage, says Vinod Paul, COO of Align.
“Over the last year, we’ve seen tremendous maturity over the various [insurance] offerings out there,” he says, adding that “funds are taking to the time to understand what is truly their coverage.”
Regulatory pressures and an increased number of attacks – especially sophisticated emails that appear to originate from a CEO or management team – are driving hedge funds to look at coverage, says Vinod Paul, COO of Align.
The potential headline risk is also a key driving factor, says John Araneo, Align’s managing director. “[T]he reputational harm of having a flawed cyber security program, or breach or a lapse that will or will not be exposed, can be the most damaging,” he says.
Cost remains an issue with insurance, especially for smaller firms, says Askari Foy, managing director at ACA Aponix and former associate director of the SEC’s national technology controls program. And firms are looking more closely in their due diligence process at who is holding what information and if third party providers and fund administrators have the proper procedures in place.
“[T]he reputational harm of having a flawed cyber security program, or breach or a lapse that will or will not be exposed, can be the most damaging,” — John Araneo, Managing Director, Align Cybersecurity, and General Counsel of Align
“Firms are really looking to see who has information. From a cost perspective, I see it as a concern for the smaller shops where they are deferring more to outside providers,” he says.
It’s an issue that’s not going away any time soon, especially as institutional investors continue to ask about firm policies, he adds.
“It’s a constant pressure on them because investors are asking what they are doing with cyber insurance from a coverage perspective,” he says.
Reach out to learn more about Align CybersecurityTM, Align's comprehensive, front-to-end Cybersecurity Compliance and Risk Management Solution.