Journal of Financial Planning: February 2017
David M. Cordell, Ph.D., CFA, CFP®, CLU®, is director of finance programs at the University of Texas at Dallas.
Thomas P. Langdon, J.D., LL.M., CFA, CFP®, is a professor of business law at Roger Williams University in Bristol, Rhode Island.
One of the basic steps comprehensive planners engage in when preparing a financial plan for a client is conducting a risk management assessment. Risk management is an essential component in a well-constructed financial plan, and risk management measures are usually implemented early in the planning process. Without an adequate risk management plan in place, the benefits resulting from saving and investing to reach client goals for education funding, retirement, and legacy planning may be wiped out if the client experiences a negative risk exposure.
Risks Clients Face
Some risk exposures faced by clients are universal and static. Risks such as the early death of a household member, the risk of experiencing a period of disability that could result in the loss of income, and the risk of property damage or personal injury associated with the use of real and personal property are exposures that all clients face, and that all good risk management plans address. Some risks are unique to the individual engaging in planning, which is why financial planners conduct a thorough risk assessment taking those unique attributes of the client into consideration before developing and implementing a risk management plan.
Business owners face some unique risks that should be addressed in the planning process. Small businesses that are dependent upon the services of their owners or key employees, for example, should consider the use of business continuity insurance to provide operating capital if the owner or key employee is unable to work for some time. Business continuity insurance allows the business to pay for recurring costs of operation (rent, electricity, basic support staff, and the like) so that when the owner or key employee recovers, there is a business to go back to. In many cases, failure to have business continuity insurance forces a small business to close its doors when the source of the business’s cash flow disappears—even for a short period. Business continuity insurance is often a staple in the smorgasbord of risk management products financial planners employ as a hedge against the financial risks faced by their clients.
Risk Management Meets the Cyber World
A relatively new risk that business-owner clients are exposed to is financial loss resulting from a cyber breach. The evolution of the Internet and online electronic payment mechanisms have greatly expanded the potential for many businesses in a relatively short period of time, but it has also provided an opportunity for cyber thieves to steal information vital to the operation of those businesses, and vital to the customers who patronize them. Recognizing the need for protection against these threats, larger businesses have dedicated significant resources to the protection of their electronic data and systems.
Even with large investments in protection against cyber threats, some big businesses have been the target of hackers, resulting in large financial losses and, perhaps more importantly, credibility losses with their customers. Breaches at companies like Target, eBay, and Yahoo have had a major impact on businesses and consumers alike. Cyberattacks have not been limited to businesses, as the recent Chinese hack into U.S. government personnel records (which disclosed the private information of millions of U.S. government employees and military personnel) and the alleged Russian-sponsored hacking at the Democratic National Committee demonstrate.
Recognizing the increased difficulty in breaching larger company systems, cyber criminals have turned their focus to those organizations that are less capable of protecting themselves. What was once a problem primarily for larger businesses has now expanded to medium-sized and small businesses—many of which are served by financial planners. Recent estimates have suggested that at least a third of targeted cyberattacks were aimed at companies with fewer than 250 employees. A tool to hedge against these risks faced by business owners is cyber insurance.
Cyber Insurance as a Risk Management Tool
Cyber insurance is a relatively new form of risk management coverage that has evolved over the last 20 years. The first generation of cyber insurance, often referred to as network security insurance, was purchased by technology companies that distributed software to customers; it came in the form of errors and omissions insurance that was expanded to include damages caused by software programs, transmission of computer viruses, and loss of data. In the early 2000s, network security insurance policies were expanded to include coverage for breaches of private and confidential information.
Of course, many businesses not in the software development and distribution market also possess electronic trade secrets, including customer information and data (such as credit card numbers, addresses, and dates of birth), and began to purchase this insurance solely for the purpose of mitigating losses resulting from privacy breaches. Today, cyber insurance policies cover four primary areas, not all of which are needed by every business: errors and omissions insurance, network security, privacy protection, and media liability protection.
Financial planners assessing the risk exposures of their clients need to carefully consider which of these coverages may be important to their clients. Errors and omissions coverage may be appropriate if a client is involved in the process of developing software, or is an information technology consultant. Unlike errors and omissions coverage, which will meet the need of only some businesses, network security, privacy protection, and media liability protection are likely to be concerns for most businesses and their owners today.
Network security coverage provides protection against the financial consequences resulting from breach of customer and company data (including intellectual property), destruction of data, damages resulting from cyber extortion (such as the unauthorized installation of ransom-ware on company systems), and damages caused by viruses.
Privacy protection coverage protects against the financial consequences of disclosure of private information in electronic or physical form, either negligently (such as mistakenly emailing private information to the wrong party) or intentionally (such as a criminal hack into company systems to steal private information, or the disclosure of private information by a disgruntled insider).
Media liability coverage provides protection against injury resulting from a company’s Internet presence, such as allegations of libel and slander contained in media posts or advertising, and infringement of intellectual property rights.
Cyber Ramifications
When a cyber breach occurs, businesses may face several financial exposures. Typically, costs will be incurred to investigate the breach to determine the nature and scope of the possible damage. Many state and federal laws require businesses to notify customers affected by the breach and to provide credit monitoring services to customers. Customers who are impacted may sue the business, in which case defense costs are incurred along with settlement costs or judgments if the cases go to trial.
Incurred costs may also be associated with responding to regulatory bodies, which can impose fines and penalties for the business’ failure to comply with government regulations concerning the protection of customer data. Small and medium-sized businesses without cyber insurance protection may be overburdened by these costs, forcing them out of business if a cyber breach were to occur.
Many business owners think they are protected against some of these threats by their standard property insurance policies. Unfortunately, this is generally not the case. Most standard property insurance policies do not cover the loss or damage of data, losses associated with business system downtime caused by cyberattacks, or the consequences of cyberattacks on the business, such as identity theft, ransomware, and phishing scams. Shifting the risks associated with these losses can only be obtained through the purchase of a cyber insurance policy.
The Financial Planner’s Role
Of course, purchasing a cyber insurance policy will cushion the financial consequences of data breaches and cyberattacks, but the policy itself will not prevent cyberattacks from occurring. As part of a client’s overall risk management plan, financial planners should encourage clients with business enterprises to incorporate safeguards to minimize the likelihood of those cyberattacks. Some of the measures that can be incorporated into the plan include using virus protection software, requiring complex passwords and frequent resetting of passwords for access to company data, and limiting access to company data to employees on a need-to-know basis.
Combining cyber insurance with common-sense action steps to protect the company and its data against cyberattacks may be the only way for small and medium-sized companies to survive when faced with this growing threat to their continued existence. Although financial planners may not be qualified to provide a thorough cyber risk evaluation, they should be sensitive to this type of risk exposure of their business-owner clients. Assisting clients in identifying cyber risk issues and minimizing their exposure to the financial consequences of the cyber risks is a critical aspect of financial planning for business owners, and it is also an excellent means of cementing the planner-client relationship.