Uncovering the “Gotchas” of RIA Insurance
By Brian Francetich
This world is full of gotchas. From fake Gucci purses and Ray-Ban sunglasses to politicians’ unfulfilled promises and advertisers’ embellishments, nothing is quite as it seems. Unfortunately, gotchas also apply to RIA firms’ insurance portfolios. In short, insurance policy terms vary widely from carrier to carrier and often require careful attention to detail and tailoring.
The ISO is a for-profit business that serves the property and casualty insurance industry. One of the key services it provides is writing standardized insurance language for use by insurers. ISO writes standard general liability, automobile liability, property insurance forms, etc. to make the formation of policies and shopping of insurance simpler. But for policies covering most of the major risks RIAs face—errors and omissions/professional liability, directors and officers, cyber insurance, fidelity bond/crime insurance, and employment practices liability—there is no standard insurance language issued by the ISO. We are left with what we often call the “Wild West of insurance.” It’s a world full of gotchas, yet with proper guidance and advice it is absolutely possible to successfully navigate this world. Let’s break down each of the five different coverage lines RIAs need and uncover some of the traps found within.
While cyber insurance has taken the limelight recently and consistently ranks as the number one risk concern among advisors (see our Bi-Annual RIA Risk Survey), within our client base of over 2,000 RIA firms, E&O losses still significantly exceed cyber insurance losses experienced by RIAs in both frequency and severity. E&O total dollar losses are over 20 times more than cyber losses for the past five+ years. Clearly, this is an important area to get right for your firm.
So what are the biggest gotchas in the RIA E&O space? The first two things to look for are (1) the insurance language regarding investment vehicle/type exclusions and (2) treatment of trade errors. Insurers are all over the place on these two items and the language can be difficult to interpret. Some forms are wide open and therefore will cover all investment vehicles/types. Some have very extensive limitations on the types of investments they will cover. Understandably, this could be problematic. Regarding trade errors, it is important to determine what the definition of a trade error is and if it includes both discretionary and non-discretionary trading. While some forms are silent, others will outright exclude claims that in any way involve a trade error. Again, the Wild West!
D&O can be one of the more difficult coverage lines to clearly define what it covers. In essence, it covers some of the exposure that is “left over” and is not covered by E&O, EPLI, cyber, general liability, and crime. The two biggest considerations here for RIAs are (1) regulatory exposure that results from running a business in a highly regulated industry and (2) minority shareholder exposure should the firm have a broad shareholder base. Firms that have more complex structures, service offerings, product lines, advisors with significant outside business activities (OBAs), proprietary products, ways of being compensated, and affiliated provider companies all have increased regulatory exposure and should seriously consider D&O.
Cyber insurance is the youngest of the specialty insurance coverage lines for RIAs and still in its adolescence. Due to this, there are even wider differences in how insurers have constructed policy forms and defined terms and conditions. In general, cyber insurance is intended to cover the loss of data/information, the destruction or interruption of systems, and the subsequent fallout. The most common cyber claim for an RIA comes in the form of a data breach, typically the hacking of an employee’s email or CRM. This results in costs for data forensics, credit monitoring, notifications, and legal expenses—all of which should be covered in a proper cyber insurance policy. There are two glaring gaps cyber will not cover: (1) the reputation damage that may follow a cyber event and therefore loss of clients and the revenue they bring and (2) the direct loss of dollars or securities due to a social engineering fraud (SEF) event. The good news here is that this type of loss for an RIA can be covered by a proper fidelity bond/crime insurance policy.
Primarily, fidelity bond/crime insurance coverage is built to cover employee theft and fraud matters. This can range from a staff accountant creating false invoices to fill their own pockets to advisors setting up new client accounts fraudulently such that they receive the funds themselves rather than your custodian. By far, though, the most common claim event that falls under this type of coverage for RIAs is what the insurance industry calls SEF. It usually starts with an RIA client’s email being hacked and then the fraudster posing as the client to get a wire set up by the RIA employee to what they think is a legitimate account but is not. This may sound simple and easy to detect but these criminals are savvy and increasingly patient. They often wait and monitor email correspondence and have typically gathered significant amounts of detail about the client, including timing of transactions, travel plans, large purchase plans, signatures, etc. The language within these fidelity bond/crime insurance policies varies widely and many insurers simply will not cover the above-mentioned SEF event or will only pay a small sub-limit amount. To clarify, cyber insurance cannot be depended on to cover this type of loss either. Tread carefully!
EPLI coverage protects the company and management regarding lawsuits brought by employees alleging harassment, discrimination, wrongful termination, and retaliation by the company and/or manager. Unfortunately, RIAs have not fared well regarding these types of suits. In fact, a recent SourceMedia Research survey entitled "Sexual Harassment in the Professional Workplace" found that among professional industries, wealth management carried the “highest prevalence” of such allegations. EPLI is a more mature coverage line and while more standards do exist, it is still important to understand the fine print on how things like third-party harassment, settlement clauses, and wage and hour claims will be treated. For greater details on this subject, refer to Managing Employment Risk – Webinar.
The insurance world for RIA firms can feel a bit like the Wild Wild West. It is critical for RIA firms to find experienced partners that take the time to understand their particular firm and exposures to build a proper insurance portfolio to protect their firm and interests.
Brian Francetich is the president of GSRIA and a shareholder at Golsan Scruggs. Brian has served the RIA industry for over 15 years and leads a team insuring over 2,000 investment management firms nationwide. More information is available at www.gsRIA.com.
image credit: istock.com/champpixs