Cyber Insurance for Fee-Only Financial Planners: What You Really Need to Know

Peter C. Ciravolo
Oct 21
7 min read

Written by: Peter Ciravolo, Co-Founder @ BC Brokerage

BC Brokerage is a national insurance brokerage specializing in helping fee-only financial planners and their clients obtain life, disability, long-term care, annuity, home, auto, umbrella, and business insurance in all 50 states.

www.bc-brokerage.com

—----------

If you’re a Fee-Only financial planner, you’ve probably invested a lot of time in building a solid compliance program, refining your financial planning process, and protecting client data.

However, when it comes to cybersecurity, many advisors mistakenly assume they’re already covered by their Errors & Omissions (E&O) insurance or Business Owner’s Policy (BOP).

Unfortunately, that’s rarely the case. In today’s environment, where everything from client onboarding to trading happens online, cyber risk is one of the biggest blind spots for independent financial planners.

The Modern Cyber Risk Reality

Advisors are storing and transmitting more client information than ever before. This includes tax returns, Social Security numbers, bank account details, custodial credentials, and so much more.

Cybercriminals increasingly target smaller RIAs because they often have weaker security systems and fewer internal controls. Phishing schemes, ransomware, and email account takeovers have become common. A single compromised inbox can expose hundreds of clients’ sensitive data or trigger fraudulent money movements. The financial and reputational fallout from one incident can be devastating, not to mention the regulatory scrutiny that follows.

Why E&O and General Liability Won’t Save You

Let’s start with the basics.

E&O insurance is designed to protect you from professional mistakes: giving incorrect advice, failing to act in a fiduciary manner, or breaching your duty of care. It’s about your advice, not your operations.

If a hacker gains access to your systems, steals client information, or sends fraudulent transfer requests from your email, that’s not an “error” in advice; it’s a cyber incident. And your E&O carrier will almost certainly deny coverage.

The same goes for your General Liability or Business Owner’s Policy (BOP). Those policies protect against physical-world problems: a client slipping in your office, a fire in your building, or damage to your equipment. They don’t cover data breaches, cyber extortion, or fraudulent fund transfers.

Even if your BOP mentions “data” or “network,” those sections usually include strict exclusions. If a hacker locks you out of your systems or tricks your staff into sending money to a fake account, you’ll be on your own financially, unless you have dedicated cyber insurance.

What Cyber Insurance Actually Covers

A stand-alone cyber liability policy is specifically designed to address the digital risks that advisory firms face today. These policies can help with:

Investigating the breach and recovering compromised data
Notifying affected clients and offering credit monitoring.
Legal and regulatory defense, including SEC and state investigations
Business interruption and lost income if systems go down
Ransomware payments and extortion negotiations
Public relations and reputation management after an incident

Most Common Gap in 2025: Social Engineering Coverage

Social engineering is the art of deception, manipulating someone into taking an action that benefits the attacker. In the financial world, it’s often as simple (and as devastating) as a hacker impersonating a client or custodian.

Imagine this: you get an email that looks exactly like it’s from your client, asking you to move $50,000 to a new account. The email signature matches, the tone is spot-on, and you’ve done this a dozen times before. You process the request, only to find out later that the email came from a hacker.

That’s social engineering, and it happens every day.

Here’s the problem: many cyber policies either exclude social engineering losses or limit them to small sublimits, such as $10,000 or $25,000. Worse, some only cover it if the fraud originated within your system, not if it started from a client’s compromised email.

When shopping for a policy, ensure it includes specific social engineering coverage that protects against fraudulent instructions and client impersonation. For most advisory firms, a limit of at least $250,000–$500,000 is appropriate, but you’ll want to match this to the amount of money typically moving through client accounts.

Please note that your custodian may require this as part of your coverage. Double-check your contract language or speak with an insurance broker to confirm whether your current policy meets your custodian's insurance requirements.

Custodian Requirements and Expectations

Custodians have begun tightening their cybersecurity requirements, too. Most now expect affiliated RIAs to maintain cyber coverage, especially if they connect directly to custodial systems or client portals.

Here’s what many advisors are seeing today:

Fidelity Institutional: Recommends cyber liability coverage between $250,000 and $500,000.
Charles Schwab Advisor Services: requires proof of at least $250,000 in coverage for firms using Schwab systems.
TD Ameritrade (now Schwab): Historically encouraged $500,000 minimum for larger RIAs.
Pershing: Commonly requires $500,000 or more, depending on the firm’s size and data exposure.
Altruist: Advises RIAs to maintain between $250,000 and $500,000 in cyber coverage, scaled to the number of clients and data volume.

These thresholds are not just arbitrary; custodians are protecting their own ecosystems from third-party risk. If your firm suffers a breach, it can impact them, too.

How Much Coverage Do You Really Need?

There’s no single right number, but here’s a reasonable starting point:

Solo planners (under $100M AUM): $100,000–$250,000
Small RIAs ($100M–$500M): $250,000–$1 million
Mid-size RIAs ($500M–$1B): $1 million–$2 million
Larger RIAs ($1B+): $2 million–$5 million or more

The best way to determine your coverage needs is to evaluate how much data you hold, how many systems you integrate with, and what it would cost your firm to operate offline for a few days. Your custodian and your insurance broker can both help model these scenarios.

Let’s review a few standard exclusions, what’s not covered, and a few examples:

1. Acts of War or State-Sponsored Attacks

Most cyber policies exclude losses caused by nation-state attacks or acts of war. For example, if the U.S. government attributes a significant cyber incident to a foreign state actor (like the “NotPetya” attack years ago), insurers often treat that as a “war-like” act, meaning no coverage.

Why it matters: Large-scale global cyber incidents can cascade into smaller firms’ systems, even if you weren’t directly targeted.

2. Known or Ongoing Security Failures

If your firm failed to maintain reasonable cybersecurity controls, such as basic password protection, encryption, or patching, and that failure directly led to a breach, the insurer might deny coverage.

Example: If your firm ignores repeated warnings about outdated firewall software or unencrypted laptops, and that leads to a breach, your claim could be rejected for “failure to maintain security standards.”

Tip: Document and update your cybersecurity procedures annually. Most insurers require it.

3. Future Lost Profits or Firm Valuation Losses

Cyber policies generally cover direct financial loss, not long-term business value. If your firm loses clients or reputation after a breach, the resulting reputational damage or valuation decrease is typically not reimbursable.

Example: If you lose five key clients after a data breach, their lost AUM and future fee revenue would not be covered. The policy covers breach costs, not lost goodwill.

4. Intentional Acts or Insider Fraud

If a partner, employee, or contractor intentionally causes a breach, steals client data, or participates in a fraudulent transfer, most cyber policies won’t pay for the loss unless you have a specific “employee dishonesty” or “crime” rider.

Tip: Some carriers offer optional crime coverage that complements cyber insurance. It can cover internal fraud and embezzlement.

5. Bodily Injury or Property Damage

Cyber coverage focuses on digital assets, data, systems, and communications. It won’t pay for physical injuries or property damage resulting from a cyber event (unless you have a separate endorsement that combines the two).

6. Upgrading Systems After an Attack

Insurers cover restoration, not improvement. They’ll pay to restore your systems to their pre-breach state, but they won’t cover the costs of new software, enhanced firewalls, or upgraded infrastructure.

Example: If your email server is compromised, they’ll cover the recovery, not a new state-of-the-art cloud migration project.

7. Fines and Penalties Not Legally Insurable

While many policies include coverage for regulatory defense and specific civil penalties (like state data breach laws), they cannot legally pay government fines or penalties that are deemed uninsurable in your jurisdiction.

Example: If the SEC or a state regulator imposes a fine labeled explicitly as a “penalty,” your cyber insurer may not be allowed to pay it.

8. Client Losses from Market Activity

If a cyber incident results in market losses (like unauthorized trading), those investment losses are usually excluded.

Cyber insurance covers the breach response and liability, not the client’s portfolio performance.

Example: If a hacker gains access to a trading platform and executes losing trades, the resulting market losses are likely not covered under standard cyber insurance.

9. Coverage Gaps in Social Engineering

Even if you have cyber insurance, social engineering coverage often comes with strict sublimits and conditions.

If the fraud didn’t meet the exact definition or if you didn’t follow the required verification steps (like callback confirmations), your claim may be denied.

Example: Your policy might require that fund transfer instructions be verified by phone. If you only confirmed by email, the insurer could decline the claim.

Solution: Always understand the verification requirements in your policy and train your staff accordingly.

10. Third-Party Vendor or Cloud Provider Breaches (Sometimes)

Coverage for incidents caused by third-party vendors or cloud platforms varies. Some policies include it automatically; others require that you add specific vendors to your policy schedule.

Example: If your CRM provider or file storage vendor is breached, you might still be responsible for client notifications. Still, your insurer may or may not reimburse those costs unless “third-party vendor” coverage is clearly included.

Practical Next Steps

If you’re not sure where to begin, here’s a simple action plan:

Review your current E&O, General Liability, and BOP policies for cyber and social engineering exclusions.
Ask your custodian about their minimum insurance expectations.
Work with a broker who specializes in RIAs and understands how cyber, E&O, and social engineering coverage overlap.
Conduct a basic cybersecurity risk assessment. Many insurers now offer discounts for firms that use encryption, multi-factor authentication, and provide regular staff training.
Make cyber protection part of your annual compliance review, not a one-time project.

The Bottom Line

Cyber insurance isn’t a luxury anymore; it’s a necessity for any fiduciary firm that wants to protect its clients and its business.

Your E&O policy protects your advice.

Your General Liability policy protects your physical office.

Your cyber policy protects your data and reputation, while also serving your clients.

As custodians like Altruist, Schwab, and Fidelity continue raising the bar, it’s time to make cyber protection part of your standard planning process, just like insurance, estate planning, or investment management.

—-------------

Written by: Peter Ciravolo, Co-Founder @ BC Brokerage

www.bc-brokerage.com