Why Your Cyber Policy Won't Cover This Wire Fraud

The wire went out at 2:47 p.m. on a Tuesday. By 3:15, the money was gone.

Your client called Monday morning. She was buying a house in Bend. Closing Friday. She needed $847,000 moved from her brokerage account to the title company. Routine. You've done it a hundred times.

She sent the wire instructions Tuesday afternoon. The email looked normal. Same address. Same signature. The instructions came from the title company and matched the closing documents. You forwarded them to Schwab. Schwab pushed the wire. The client thanked you.

Friday morning, the title company called. They never received the funds.

Here's what you didn't know. Seven days earlier, a hacker got into your client's email. He sat there. He read every message. He waited for the title company's wire instructions to arrive. When they did, he changed the routing number and the account number. He forwarded the doctored instructions to your client's outbox, deleted the original, and waited.

Your client never saw the original instructions. You never saw the original instructions. Schwab moved the money to an account in Eastern Europe. By the time anyone noticed, it was gone.

The client retained counsel by Monday. The demand letter arrived two weeks later. $847,000.

You called your cyber carrier. You had social engineering coverage. You had funds transfer fraud coverage. You had a $1 million limit. You sent in the claim.

Six weeks later, the denial letter showed up.

What killed the claim

The denial letter ran four pages. Most of it was contract language. But the claim died on four phrases. If you understand these phrases, you understand why most cyber policies sold to RIAs leave you exposed in this scenario.

We reviewed five common cyber policies for this exact fact pattern: CFC, Coalition, At-Bay, Cowbell, and Tokio Marine. Four of them deny. One has an argument. Here's why.

Phrase 1: "Your funds"

This phrase or a close cousin shows up in CFC and Cowbell forms. It limits coverage to money the RIA owns.

The money in your client's account was never your money. It belonged to the client. It sat at Schwab in the client's name. CFC's social engineering grant pays for "any direct financial loss sustained by the company." The company didn't lose anything. The client did. You lost it later because the client demanded reimbursement.

That's not how the policy reads. That's how the carrier reads it.

Phrase 2: "An account held by you"

This phrase or a version of it appears in CFC, Coalition, and Cowbell.

CFC requires the loss to come from "a bank account held by you on behalf of the third party." Coalition requires the account to be "held by the named insured or subsidiary." Cowbell requires "your Transfer Account."

The account at Schwab is not held by the RIA. It's held by the client. The RIA has trading authority. The RIA can submit wire requests. None of that makes the account "held by" the RIA in the way these policies define it.

This phrase alone kills the claim at three of the five carriers we reviewed.

Phrase 3: "Direct financial loss sustained by the company"

CFC defines Loss this way. Coalition uses similar language for its first-party grants.

The loss in this scenario is not direct. The client lost the money first. The RIA paid the client back through a demand letter, a settlement, or a judgment. That is an indirect loss. The carriers built their first-party grants for direct loss.

Some policies cover indirect loss through a separate coverage part for client reimbursement. Most don't. Check yours.

Phrase 4: "Resulting from a security failure"

This is Coalition's specific landmine.

Coalition's Funds Transfer Liability covers fraudulent instructions that "purport to have been transmitted by the insured" and result from a security failure on the RIA's side. That covers the opposite scenario. The one where your email gets hacked and a fraudster impersonates you to your client.

Your scenario reverses that. The fraudster impersonated the client to you. There was no security failure on your side. Your training was current. Your systems were not breached. The breach happened at the client's email provider.

Coalition's policy is not built for that. Most aren't.

The one that has an argument

Of the five carriers, Tokio Marine is the only form with language that gives the RIA a real argument.

Tokio defines a Financial Account to include a Client Account, which it defines as "a bank account held or maintained by the insured's client or customer, from which the insured, as an authorized user, may deposit, withdraw, transfer, or disburse money."

That is the language the other carriers do not include. It contemplates the exact relationship an RIA has with a client's custodial account.

Tokio's coverage is not automatic. The RIA still has to qualify as an authorized user, which means the firm needs more than fee-deduction authority on the account. The reimbursement still requires carrier approval. The Cyber Crime aggregate limit on the form we reviewed was $100,000, which is small compared to a real wire fraud loss.

But it is the only form in this batch that contemplates the loss in the first place.

What to do this week

Pull your cyber policy out of the file. Look for these four phrases or their cousins.

1. "Your funds" or "the company's funds"
2. "Account held by you" or "named insured's account"
3. "Direct financial loss sustained by the company"
4. "Security failure" tied to the fraudulent instruction

If you see those phrases without a carve-out for client-owned custodial accounts, you have a gap.

The fix is not always a different cyber policy. Most of the time, the answer is a crime policy structured to cover the wire fraud scenario the cyber policy won't. Sometimes the answer is an endorsement. Sometimes it's a change to how the firm handles wire requests.

The point is that you can't solve this by looking at the cyber policy alone. You think about this the same way with your own clients. When a prospect comes to you for a financial plan but only shows you half their accounts, you can't build a real plan. You can only build a plan for the half you see. The same rule applies to your insurance.

What you don't want is to find out at the denial letter.

Schedule a call

Box Professional Insurance works exclusively with RIAs. Bring us your cyber, crime, and E&O policies. We'll read them against each other and build a plan that closes the gaps without paying twice for the same coverage. So when a wire goes out on a Tuesday afternoon, you have the confidence to know it's covered.