The Importance of Cybersecurity Insurance for Private Equity Firms
VerifyInvestor.com
The importance of cybersecurity insurance — especially for private equity firms — cannot be overstated.
In today’s era of technological advances and innovations, cybersecurity is not just a good idea for companies in the financial services industry, it is crucial — especially if you own or operate a company that gathers and maintains sensitive data like financial information, personal information, or confidential business plans. And most especially if you manage large sums of money for a broad customer base.
Cybercrime is on the rise.
Not only that, but keeping up with the diverse ways in which a company can get hacked or attacked by cyber criminals is difficult to do. Cyberattacks are constantly changing. As technology continues to evolve, cybercriminals are constantly innovating and changing the tactics they use to break into computer systems, steal money or information, and evade detection.
Cybersecurity insurance is one important tool that private equity firms and managers need to put in place as part of an overall cybersecurity protection plan.
Cybersecurity Issues and Private Equity: A Brief Look at the Problem.
Unfortunately, more and more, private equity firms are being directly targeted by cybercriminals. Hackers view private equity firms as lucrative targets. As one cybersecurity firm, Accenture, puts it, because they have ready cash, once a private equity firm announces a deal, they attract cybercriminals “the way an open purse attracts pickpockets.”
Plus, the cost of a cyberattack is stupendous. Not only do private equity firms lose customer records and millions of dollars, but cyberattacks frequently lead to hefty fines by regulators that can cost a firm or issuer millions of dollars. Additionally, having your system hacked degrades customer trust. This can cause accredited investors to pull out of a deal, further increasing the financial impact of a cyberattack.
The losses connected with a cyberattack can be both direct and indirect. Direct losses are losses that arise directly from the breach — like stolen money or ransom costs. Indirect costs are costs that are caused by the attack, but are not so obvious. For example, indirect costs can be the costs of resulting lawsuits, regulatory fines or the money spent to repair the breach.
After spending significant time and money to find accredited investors and expending the required effort and cost of verified investing, private equity firms stand to lose much — if not everything — in a cyberattack; including the loss of investor confidence.
Statistics indicate that in the United States, the average cost of a data breach in 2023 alone was 9.48 million dollars.
And the impact on consumers? Enormous.
Consider these facts from a study conducted by NinjaOne on the top 10 cybersecurity breaches:
In 2013, 3 billion Yahoo consumers had their private data stolen.
Barely one year later, (in 2014), another Yahoo cyberattack resulted in the loss of 500 million records.
In 2018, Mariott International lost the personal information of 500 million customers.
In 2019, First American Corporation lost the private information of 885 million people.
That same year, 540 million Facebook records were stolen.
The information above is just a sample of some of the major cyberattacks that have occurred.
Unfortunately, private equity firms make attractive targets for cybercriminals. They make the perfect victim for cybercriminals.
Why?
Well, there are several reasons.
First, private equity firms store sensitive data digitally — like financial information, personal customer information, credit card data, and the confidential business information of portfolio companies.
Next, private equity firms manage large sums of money for an extensive customer base.
In addition, most equity firms use third-party vendors. Cybercriminals often target third-party vendors who don’t have strong security as an entry point to reach a private equity firm’s system.
Another factor making private equity firms prime targets for cybercrime is that historically, most private equity firms simply have either ignored cybercrime or have not dedicated much time and money to putting strong system protections in place. As a result, many private equity firms leave themselves open to attack.
Adding to these vulnerabilities is the fact that private equity firms can be attacked by cybercriminals in many different ways. Some of the most prevalent include phishing and data attacks. For private equity firms, however, ransomware attacks have been a particular problem.
Ransomware attacks occur when a software program (perhaps downloaded from an email), locks you out of your entire data system. Attackers then demand a “ransom” (i.e., money) to give you back access to your own system. Private equity companies have been particularly vulnerable to these types of attacks — especially after the announcement of a private equity deal.
Ransom demands vary, of course, but the amount of money demanded can range anywhere from 5 million to 11 million dollars. Keep in mind that this is just for the ransom demand itself. The overall costs of a cyberattack — regardless of what form the attack takes — are far more. The costs associated with cybercrime encompass the loss of time and profits due to a shutdown in business, possible fines, a loss of investors, and even potential litigation following the attack.
Emerging Cybersecurity Issues
Not only is cyber liability insurance coverage a good idea, but the Securities and Exchange Commission (SEC) has been aware of the risks that cyberattacks pose for investors for a while now and has turned its attention to regulating this area more heavily.
In 2011, the SEC issued guidance requiring companies to not only assess and disclose their cybersecurity practices and procedures but to also assess and disclose how effective those practices and procedures are in preventing or mitigating the risks associated with cyberattacks.
In July of 2023, the SEC issued new rules requiring public companies to disclose all material cybersecurity incidents within four (4) business days of any occurrence. The new rules require annual disclosures from public companies containing material information about a company’s cybersecurity risk management, strategy, and governance. In addition, the new rules mandate that companies describe their board’s involvement and oversight of cybersecurity.
These new rules apply to publicly traded companies.
But what about private equity firms?
The SEC Is Promulgating Cybersecurity Rules and Applying them to Private Equity Firms.
It turns out that registered publicly traded companies are not the only ones subject to the new rules.
The new rules require investment advisors to report “significant cybersecurity incidents” to the SEC within 48 hours of discovery of the event. Among other requirements, investment advisors and investment companies must adopt and implement written cybersecurity policies and procedures designed to address any risks that could harm clients or fund investors.
Registered investment advisors are expected to begin reporting any material cybersecurity incidents within 90 days of publication of the final rule in the Federal Register or on December 18, 2023 — whichever is later. There is no absolute legal deadline for this. However, the SEC is expected to take final action on this rule in 2024.
The Importance of Cybersecurity Insurance for Private Equity Firms.
Given the seriousness of cyberattacks and the fact that private equity firms are prime targets for such attacks, many firms are investing in cybersecurity insurance (also known as “cyber liability insurance” or “cyber risk insurance” and referred to herein at times as “cyber insurance”) as one means of mitigating the effects of a cyberattack.
Cybersecurity insurance is an insurance policy that addresses cyberattacks. It can cover instances such as computer hacks, ransomware, data breaches, or total shutdowns due to a cyberattack. It can also help to defray the costs of litigation, fines and fees, or other damage that may be associated with a cyberattack.
The purpose of cyber insurance is to protect the insured against cyberattacks and to cover some of the costs related to recovering from a cyberattack. Because these issues are not part of a traditional insurance policy, cyber insurance is considered a “specialty” insurance.
Cyber insurance has its limitations (discussed more below) but overall, it is critical that private equity firms obtain cyber liability insurance coverage as part of an overall robust cyber security plan. Not only can it help to mitigate the costs associated with a cyberattack, but not having a comprehensive cybersecurity plan (including insurance coverage) can seriously damage a fund’s investment and reputation with accredited investors.
And, as noted above, given the recent addition of SEC rules in this area, not having a sufficient cybersecurity plan could expose a private equity firm to regulatory violations.
Cyber Insurance Policy Terms — Not So Standard.
While more and more businesses need cyber insurance to protect them, it can be difficult and expensive to obtain cyber insurance.
Why?
In part, it is due to the very nature of cyber. Cyberattacks are constantly changing and evolving, making it difficult for insurers to develop standardized language for policies. The ever-changing risks also make it difficult for insurers to price coverage. Cyber risks are difficult to quantify and the cost of cyber breaches is difficult to estimate.
In addition, this area of coverage is fairly new. Cyber liability insurance emerged in the 1990s when insurance companies began to adjust general liability insurance to fit cyberattacks. First-party and third-party losses were included in 2010.
Another complication is the fact that there is not a lot of legal precedent in cyber or in cyber insurance. This makes it difficult for insurers to write policies — rendering most cyber insurance policies restrictive — and it makes it more difficult for all parties involved to properly interpret coverage.
Most cyber policies have up to 15 separate insuring agreements. There are no standardized insurance forms. Instead, terms vary from insurer to insurer.
Nevertheless, experts encourage private equity firms to invest in cybersecurity liability insurance as part of an overall cybersecurity plan. Insurance should not be relied upon as the only cybersecurity tool, but it is an important part of an overall security plan.
On the other hand, because cyber policy terms are not standard, it is critical for private equity firms to review their current insurance policies to make certain that the scope of coverage fits with the firm’s specific operations. Also, be aware that the types of risks covered in these policies vary significantly from insurer to insurer.
Moreover, in reviewing an insurance policy — and a cyber liability insurance policy in particular — it is critical to be aware of exclusions.
While there are no standard terms, cyber insurance policies generally will cover the following sample of events (this list is not all-inclusive):
business interruption losses
data retrieval and system restoration costs
ransomware
remediation costs to respond to a system breach, and
cybercrime and network security.
Equally important, however, is what cyber liability insurance will not cover. Some examples (again not an all-inclusive list) are:
human error. If human error is the reason for a security breach, insurance will not pay for it.
poor security. Insurance will not cover situations that were caused by poor security processes or poor security management. Note that the SEC’s new rules regarding disclosures will make it easier for insurance companies to know exactly what those processes and overall management are.
prior security breaches. Most policies will not cover breaches that occurred before the policy was put in place.
security breaches caused by employees.
Private equity firms should try to get cyber liability insurance policies that cover some or all of the following:
data attacks on data held by the private equity firm and on data held by third-parties on its behalf,
cyberattacks initiated outside the United States, and
terrorist attacks.
It is vital that private equity firms carefully review their current insurance policies (for example, a firm’s D & O insurance (directors and officers liability insurance), to determine what events related to cyber are or are not covered.
Cyber Insurance is Good, But Firms Need to Go Beyond Just Getting Cyber Insurance.
Finally, while having cyber insurance makes sense and can effectively mitigate the risks associated with cyberattacks, it does not replace — for insurance or regulatory purposes — having a sound risk management strategy.
In fact, firms that lack other robust strategies for protecting themselves against cyberattacks may not be able to even get cyber liability insurance. To meet the SEC’s new rules and, indeed, to even qualify for cyber liability insurance in many cases, private equity firms must have a complete security system in place that will identify, measure, and mitigate, the types of cyberattacks their firm may be exposed to.
Some suggestions for private equity firms include (are not limited to) doing some or all of the following:
using firewalls, intrusion detection, and encryption systems to create solid security systems,
train employees on cybersecurity best practices
regularly review, analyze, and address any vulnerabilities that may exist in your system,
develop a response plan,
address all system breaches immediately,
constantly monitor your system for threats, and
put data backup and data recovery plans in place.
While no single cyber hygiene approach can keep any system free from cyberattacks, it is imperative for business and regulatory purposes that private equity firms address the issue of cybercrime and put robust systems in place to protect themselves and their investors.
VerifyInvestor.com is a leading resource for verifying accredited investors in compliance with federal laws. We also offer custom verifications, qualified purchaser, and qualified client verifications.