Advisors using Schwab as a custodian will now be required to show proof that they have a $1 million errors & omissions (E&O) insurance policy, according to an email the financial services giant sent out yesterday.

The Schwab directive also requires advisors to obtain and maintain coverage for “social engineering, theft by hacker incidents, and theft by employee (if applicable),” according to a copy of the email obtained by Financial Advisor magazine.

“Each firm needs to have an aggregate minimum of at least $1 million of coverage,” said Schwab, adding that the firm has seen “an uptick in risks.”

E&O insurance, also known as professional liability insurance, can help cover the cost of lawsuits related to performance, a sign that Schwab is at least doing strategic planning for a market downturn.

“There are probably a lot more RIAs than we know who don’t have a E&O policy or Schwab would not have issued this requirement,” Scott Salaske, founder and CEO of FirstMetric, a RIA firm. "A part of it is they’ll be named in any lawsuit so if they can push that on advisors' insurance rather than eating it down the road, that’s good practice."

“This is good. Maybe other custodians will follow," he added.

A senior Schwab executive said the move was prompted by the growing operational risks both Schwab and RIAs face alike. “Independent advisors have been growing quickly, and while this growth and success is overwhelmingly positive for investors and RIAs alike, it does bring increased operational risks as firms expand and day-to-day operations become more complex,” Ian Muir, Managing Director, Advisor Controls and Trading, Schwab Advisor Services, said.

“This complexity, combined with rising industry fraud, cybercrime and trading volatility, means it is critical for advisors to evaluate how well their firm is protected. Schwab believes that insurance is a vital component to managing risk at Schwab and in advisors’ businesses and is consistent with the commitment to being a fiduciary for clients. Coverage protects a firm and its clients from the unexpected, transfers risk away from the firm’s balance sheet and advisors’ personal assets, and can provide coverage for legal costs, settlements, and the costs of operational errors,” Muir added.

Schwab also told Financial Advisor magazine it is currently working with a selected group of insurance providers to secure preferred pricing for Schwab clients. “More details about these providers will be available beginning in November,” the firm said.

Salaske said that most E&O policies don’t have coverage for all the new Schwab requirements, so “additional coverage through a fidelity bond, sometimes referred to as a financial institution bond, will be required as well.”

The median cost for an E&O policy for advisors starts at about $220 per month, or $2,610 a year, for a $1 million per occurrence coverage with a deductible of $5,000, according to Insureon, an on online E&O insurance broker.

Cyber liability insurance costs another $105 per month, or $1,260 per year, for $750,000 per-occurrence coverage and covers legal fees and recovery costs, stemming from data breaches. That brings the total annual cost for the E&O policy Schwab is requiring to about $3,870 per year.

William M. Harris, president of WH Cornerstone Investments in Duxbury, Mass., which custodies assets at Schwab, said he pays about $6,000 annually for E&O coverage. “Social engineering coverage was a new one for me,” Harris said. “Regardless, I forwarded Schwab’s mandate to my insurance carrier to make sure we had all the requisites covered.

“While I think E&O is good industry practice, Schwab’s notice was disconcerting. What other mandates lie ahead? In addition, the mandate was emailed via nondescript notice from someone I was not familiar with. I would have liked to have seen a reach out from a dedicated service contact. In their defense, maybe that will follow,” Harris added.

Schwab “is wisely circumventing its own liability by putting a policy requirement in place, an attorney who asked for anonymity said.

“I run a $420 million RIA and we clear 100% through Schwab,” Daren Blonski, co-founder and managing principal of Sonoma Wealth Advisors in Sonoma, Calif., said. “When I received the email yesterday it was interesting that they had to send it out. It tells you that a lot of people are operating without E&O.”

Blonski carries E&O and said “operating without it is like being a good driver and thinking you will never get in an accident.”

In addition to investors getting increasingly skittish about investment losses, regulators are cracking down on advisors with deficient cybersecurity breaches.

In August, the Securities and Exchange Commission sanctioned eight firms for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients.

The eight firms, which settled the charges without admitting or deny guilt, are Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC; Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS). All were SEC-registered as broker dealers, investment advisory firms or both.

The SEC levied fines and penalties on each firm ranging from $200,000 to $300,000.

"Investment advisors and broker-dealers must fulfill their obligations concerning the protection of customer information," Kristina Littman, chief of the SEC Enforcement Division's cyber unit, said in a statement. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."

According to the SEC's order against the Cetera companies, cloud-based email accounts of over 60 Cetera personnel were taken over by unauthorized third parties, resulting in the exposure of at least 4,388 customers’ and clients’ personal information between November 2017 and June 2020.

None of the accounts “were protected in a manner consistent with" Cetera policies the SEC found. The SEC also discovered Cetera sent breach notifications to each client that were misleading, suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.

The SEC's order against Cambridge found that the cloud-based email accounts of over 121 Cambridge reps were taken over by unauthorized third parties, resulting in the exposure of at least 2,177 Cambridge customers and clients between January 2018 and July 2021.

The SEC's order found that “although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts until 2021, resulting in the exposure and potential exposure of additional customer and client records and information.”