Fidelity Institutional, the custodian for more than 13,500 wealth management firms and other institutions, is mandating that RIAs get professional liability and cyber insurance. The new requirements, shared with RIAs in March, are a direct response to expanding business threats and inadequate protections in place at RIAs, Fidelity said.
The custodian’s new mandates will force many wealth managers to buy additional insurance coverage, costing some of them thousands of dollars per year, according to insurance brokers.
Fidelity is requiring all RIAs, turnkey asset management platforms (TAMPs), and third-party administrators, to have errors and omissions insurance with at least $1 million of coverage, as well as a financial institution bond or other coverage that protects them against direct losses due to criminal behavior by employees, such as fraud or theft.
Additionally, Fidelity is requiring RIAs to have an insurance policy that will cover at least $250,000 in damages and expenses related to social engineering, or malicious actions that trick employees or clients into doing things like disclosing confidential information or transferring funds. RIAs can meet the cyber-related requirement using an endorsement or rider on their errors and omissions (E&O) policy, or through a standalone cyber insurance policy. The $250,000 can count toward the minimum $1 million in coverage, Fidelity told RIA Intel.
Fidelity said it notified all its customers in March and told them they must satisfy the insurance requirements within one year of their notification. (Fidelity Institutional does not publicly share how many of its 13,500 customers are private wealth management firms.) Several RIAs that custody with Fidelity told RIA Intel they were unaware of the new mandates, although that does not necessarily mean Fidelity didn’t notify them.
Most of the RIAs that custody with Fidelity already have at least some insurance. “Previously, we strongly encouraged our clients to obtain this coverage,” Scott Slater, vice president of practice management and consulting at Fidelity Institutional, told RIA Intel.
In a 2021 benchmarking study of its RIAs, Fidelity found that 97 percent had E&O insurance and the median amount of coverage was $2 million. In other words, it seems that few RIAs will need to get an E&O policy for the first time or bolster their coverage. Still, increased market volatility has made operations at RIAs more complex, resulting in greater risks associated with losses due to errors, Slater said.
The same benchmarking study found that only 62 percent of RIAs had a financial institution bond and 77 percent of Fidelity’s RIAs had some form of cyber insurance. “We’ve found that, while most firms cover the basics in terms of maintaining cybersecurity training, written policies and procedures to respond to breaches, and cyber insurance, quite a few firms don’t meet these minimums,” Fidelity concluded from the study last year.
Slater said Fidelity’s specific cyber mandate is a direct response to the increase in the “frequency, complexity, and severity of social engineering incidents.” (Similar rules went into effect for RIAs that custody with Schwab Advisor Services three months ago.)
Most advisors are overconfident in their cybersecurity, according to Cerulli Associates, a Boston-based consulting group focused on wealth management. More than 80 percent of advisors “believe that their practice is prepared for cybersecurity threats, which reflects hubris regarding sophisticated and focused threats,” Cerulli said in a March report.
To meet Fidelity’s $250,000 coverage requirement for social engineering, many RIAs will need to augment an insurance policy they have or purchase an independent cyber insurance policy, according to insurance brokers.
[Like this article? Subscribe to RIA Intel’s' thrice-weekly newsletter.]
E&O policies generally do not cover cyber events, so RIAs will need to add cyber endorsements or riders to their policies to meet Fidelity’s requirement, Nick Weiner, program executive at insurance brokerage Varney Agency, which has about 500 wealth management firms as clients, told RIA Intel. In some cases, those augmentations to E&O policies only cover fund transfer fraud, ransomware protection, credit monitoring for clients impacted by cyber events, and forensics investigations — not damages and expenses related to cybercrime, including social engineering. In that circumstance, an RIA might be forced to buy a standalone cyber insurance policy.
Either way, to fulfill the mandate, RIAs will be paying for additional coverage.
The cost of an insurance policy depends on factors specific to each RIA, like the number of clients it has and its annual revenue. An insurance policy’s protection, deductible, claim limits and the carrier selling it, also impact the cost.
For a firm managing under $100 million in assets, the annual premium for $1 million in E&O coverage, with a $10,000 deductible, would cost about $6,900, Weiner told RIA Intel. Adding coverage for employee theft to an E&O policy is typically priced at 3 percent of the existing premium. For $250,000 in coverage for social engineering RIAs would pay roughly an additional $750, Weiner said.
Most standalone cyber insurance policies with $1 million in coverage come with $250,000 in coverage for cybercrime (including social engineering) that would fulfill Fidelity’s mandate. Those policies can cost RIAs between $1,000 and more than $2,000 per year, according to brokers. RIAs that choose to get a standalone cyber policy will pay more in insurance premiums but have considerably more cyber coverage, brokers said.
The biggest cybersecurity risk to RIAs is ransomware, which immobilizes software or important information until a ransom is paid to the attacker, said Brian Thornton, president of Prowriters, a digital wholesale insurance broker that specializes in E&O and cyber insurance. But social engineering attacks are common cyber-related claims, he added.
“You can certainly see a scenario where an investment advisor’s email gets hacked, and someone uses that to [message] a client to say, ‘hey, send funds here,’” Thornton said. “Or the scenario where they don't even hack you, but [hackers] spoof your email and make it look like it's coming from you, even though [the hackers] never got into your system.”
If a client mistakenly transfers funds to someone who they think is their advisor, they might still sue their advisor, Thornton said. “Even if you don't necessarily have client funds in your care, custody and control, you might be sending their funds on their behalf. You still have some exposure there,” he said.
How RIAs meet Fidelity’s new insurance requirements is up to them, brokers said. But they recommended reaching out to firms like theirs that have experience working with wealth managers. Those brokers are most familiar with the needs of RIAs and can make sure they are adequately protected, meeting any requirements, and not buying more coverage than they need.
Holly Deaton (@HollyLDeaton) is a staff writer at RIA Intel and based in New York City.