14 minute read
Cyber losses - which insurance policy applies?
Andrew Horne and Nick Frith, Minter Ellison Rudd Watts
On Christmas Day last year, the Reserve Bank of New Zealand suffered a cyber attack. The attack involved a malicious actor gaining access to a third party file sharing application named Accellion FTA, which the Reserve Bank used to store and share clients’ sensitive information. That person downloaded information from the application, some of which was personal and sensitive, such as personal email addresses, dates of birth and credit information.
The Reserve Bank responded to the breach by patching and securing the application, identifying the organisations and individuals affected and offering them advice and support from a third party specialist. The Reserve Bank also appointed KPMG to conduct a review of its systems and processes.
The attack itself was fairly typical of ‘data breach’ incidents in which a malicious third party gains access to confidential data held on a firm’s systems. A victim of such an attack may suffer loss and damage in a number of ways. The Reserve Bank, for instance, will have incurred the costs of dealing with the attack and the investigation that followed. It may have incurred liabilities to persons who suffered loss as a result of their information being stolen. A commercial firm in its position might also suffer a loss of profits as the data loss hampers its ability to conduct business and its reputation is damaged. It might also become subject to regulatory action and incur defence costs and fines or penalties. Insurance policies
Insurance policies deal with the different types of loss that may arise from a cyber event, whether malicious or otherwise, in complex and diverse ways. Different policies may respond to different types of loss arising from the same event. Some types of loss may fall through the cracks and not be covered by any policy, and others may be expressly excluded. In some circumstances, there may be double insurance as more than one policy provides cover, in which case terms providing for double insurance may limit cover. What does Cyber insurance cover?
Policies described as providing Cyber insurance may not provide cover as broad as their name might suggest, as they do not ordinarily provide cover for all forms of loss resulting from a cyber event.
Typically, Cyber policies will provide cover for internal and external costs that a firm or organisation is obliged to incur to deal with a cyber event. These will often include: • the cost of expert help to manage, cure and investigate the event and its consequences to understand what happened, what data is
affected, and what remediation action is necessary • the cost of urgent legal support to understand and comply with legal obligations arising out of the event, such as notifying regulators, notifying persons whose data has been compromised, and dealing with claims and complaints • public relations costs • data restoration from backups • ransom or extortion costs
Cyber policies may also include cover for the following costs and liabilities: • liabilities and losses resulting from computer crime, such as misdirected payments – this cover is often expensive and sub-limited (i.e. with a lower cover limit than the main policy limit) • business interruption losses and expenses resulting from system downtime caused by the event, response, and investigation • defence costs, penalties, and fines resulting from the event and any consequential regulatory breaches • contractual penalties imposed by credit card issuers • digital media claims, such as claims arising from defamation, misuse of intellectual property
However, some Cyber policies do not include cover for the following: • losses, whether of the insured’s own funds or those of a third party, resulting from a misdirected payment – such as where the insured is tricked by a forged email into transferring funds to a fraudster’s account (cover is sometimes available for this loss by way of an endorsement but it is usually expensive and sub-limited, as insurers are aware that losses of this nature are common and are often expensive) • damage to the insured’s own computer system from normal material damage risks such as fire, flood etc – unless included in a policy endorsement • loss caused by a person who was authorised to access the system – an important limitation • benefits, such as future discounts, provided to the insured’s customers to apologise for the event and provide limited compensation • losses resulting from a system failure that is not caused by a third party
• losses from natural disasters • fines and penalties that do not result from a breach of data protection laws What other policies may provide relevant cover? Professional Indemnity insurance
Professional services firms and some other service providing entities will normally hold Professional Indemnity insurance to cover them for liabilities they incur from breaches of their professional duties.
These policies may provide cover for liabilities arising from a cyber event if the event constitutes a breach of a professional duty. The following are examples of breaches that may result from a negligent failure to keep a cyber system properly protected or otherwise breach a professional duty: • breach of confidence, such as when sensitive client information is disclosed or published, resulting in losses to clients • conduct by the firm’s employees using social media or another cyber platform, such as breach of confidence or brand damage • misdirected funds, such as when a professional service
provider actions a payment request from a fraudster who has gained access to the professional service provider’s email system (this type of loss is increasingly excluded from cover or limited) • loss of important client data • breach of privacy from a cyber event (which may be from a policy extension) • liabilities resulting from breach of intellectual property rights caused by a cyber event (which may be from a policy extension) • transmission of a virus or other malicious code resulting from a cyber event
This cover is often important because Professional Indemnity policies typically have higher coverage limits than specialist Cyber policies or other forms of insurance. Fidelity and Crime insurance
Some firms and organisations have specialist Fidelity and/or Crime cover which offer protection from costs and liabilities arising from criminal actions by employees or third parties respectively. This may include cover for the following cyber-related losses: • criminal cyber breaches by
employees who steal client data • theft by employees who access the firm’s systems to learn of transactions and use forged emails to arrange fraudulent bank transfers or otherwise steal the firm’s or its customers’ assets (often excluded or sub-limited) • intentional damage to the firm’s or its customers’ data • ransom demands relating to the firm’s or its customers’ data Statutory Liability insurance
Many firms and organisations hold insurance against fines and penalties imposed as a result of criminal or regulatory breaches, including breaches that result from cyber events. These may include: • fines imposed for privacy breaches • fines or penalties under applicable industry regulatory schemes, such as financial services regulation, resulting from a failure to deliver regulated services or a breach of client confidentiality • defence costs for the above Directors and Officers insurance
It is possible to imagine circumstances in which a cyber event results in a claim against a company’s directors for breach of their duties to the company. Such a claim could be made, for instance, where the directors had not paid sufficient heed to the risk of loss arising from a cyber event and allowed it to occur, resulting in loss – possibly catastrophic – to the company and its shareholders. What important exclusions exist?
Many insurance policy suites do not provide cover for important cyber-related risks. These include the following: • Some policies do not cover losses from broad cyber attacks that do not target a specific firm or organisation or its cyber systems provider, such as a broad attack upon commonly used applications
or software • Some policies do not cover the insured firm or organisation’s own lost revenue or profits, although they may offer this as an optional extension • Many policies exclude cover for losses arising from misdirected payments arranged through cyber fraud, or provide only very limited cover What are some examples?
A fraudster obtains access to a firm’s email system through a ‘phishing’ email to which an employee unwittingly falls victim. The fraudster learns that a major transaction is about to take place and uses the employee’s emails or a similar email address to arrange for the payment of client funds to be made to the fraudster’s account. The following policies may provide some cover (subject to exclusions, which are increasingly common for this type of fraud): Cyber, Professional Indemnity, Crime.
A cyber criminal ‘hacks’ into a poorly defended system and obtains access to sensitive client data which is then published on the ‘dark web’. The data includes sensitive client information that results in clients suffering financial loss and personal information that embarrasses individuals. The following policies may provide cover: Cyber, Professional Indemnity, Crime, Statutory Liability. What do we recommend?
Organisations should consider, with their insurance brokers or legal advisers, how their policy suites will respond to cyber risks and whether there are any material gaps in cover. It may be helpful to consider some of the examples outlined above and assess whether they would be covered, which policies may provide the most appropriate cover and whether any exclusions or sub-limits on cover may apply. Extensions to cover may then be sought where appropriate.
FSLAA so far: how has the industry changed?
More than two months into the new regulatory regime, how have brokers coped with the seismic changes? By Angela Cuming
The Financial Services Legislation Amendment Act 2019 (FSLAA) came into effect on 15 March, marking a major change for insurance brokers and the wider financial advice sector.
The changes were designed to improve financial advice across New Zealand by making it easier for customers to understand and access.
Under the new regime, brokers providing advice to retail clients will need to hold a Financial Advice Provider (FAP) license, or be an authorised body under another FAP license.
It's a reasonably significant change for the industry. Nick Summerfield, financial services partner for Anthony Harper, says there have been “a few small teething issues” with the new regime.
“For example, some advisers not being properly linked to a FAP on the FSP register,” he says, “and despite really clear messaging from FMA, the Financial Services Council, and others I think there is still a degree of confusion in some quarters about the competency safe harbour.
“However, my sense is the vast majority of the industry has really embraced the change and is well prepared to move forward,” Summerfield says.
“I have seen some really neat examples of FAPs (and advisers) taking advantage of the flexibility of the new disclosure rules to improve how they communicate with clients.” A Financial Advice Provider (FAP) must: • Meet the new standards of competence, knowledge and skill included in the
Code of Professional Conduct for Financial Advice Services; and • Meet the duty to ensure the client understands the nature and scope of the advice at all times; and
• Give priority to the client’s interests where there’s a conflict of interest by ensuring the financial advice is not materially influenced; and • Exercise care, diligence, and skill of a prudent financial adviser at all times; and • Comply with the new regulations regarding the disclosure requirements and the duty to ensure those disclosures are not misleading, deceptive or incomplete.
Under the new regime all FAPs should hold a transitional licence and be able to create and maintain records and have an internal complaints procedure.
By now, all FAPs should have updated disclosure documents to include all the necessary information required by the FSLAA, and it is a requirement for the FAP’s website to include the Financial Advice Provider Disclosures.
All FAPs can now apply for a full licence under the regime and all licence holders will be required to hold a full licence in two-year’s time to be able to continue to provide financial advice or engage others to give regulated financial advice on their behalf.
For Crombie Lockwood, the new regime has been a welcome evolution for the broker, says chief broking officer Mark Jones. “The changes are designed to raise the performance and the professionalism of the insurance sector, and that’s not a bad thing,” says Jones.
“It’s no secret the insurance industry has struggled with consumer trust and a general degree of scepticism and we are optimistic the new legislation will help by increasing transparency and delivering greater reassurance to clients.”
Jones acknowledges there was some initial hesitancy around what
FSLAA would mean for the business but says concerns were quickly alleviated and the benefits soon realised.
“We’ve long been advocates for a ‘client-first’ experience because we believe high standards of conduct are part of doing good business,” he says.
“Strong processes, accountability and heightened competency are fundamental to success and that’s what underpins this new regime.”
While implementing new ways of working requires extra effort and there’s going to be greater scrutiny, says Jones, the reassurance and confidence the new approach gives to clients outweighs any of those challenges.
By now FAPs will have implemented the changes required by the FSLAA, and it appears to be business as usual under the new regime.
“The new financial advice regime has changed the profile of our regulatory obligations but hasn’t changed our commitment to our clients,” says Rodney Knight general manager - risk & compliance at Rothbury Insurance Brokers.
“We first considered how our existing business operations support the principles and requirements set out in the Code of Professional Conduct for Financial Advice Service,” says Knight.
“This helps everyone understand why particular activities are important and how they are linked to providing a high level of service and it also gives our team assurance that they are meeting all of their new obligations as part of ‘business as usual’.”
By documenting these links, says Knight, the company can demonstrate how we meet the aims of the Code in practice.
“To ensure we comply with the new disclosure regulations, we changed some key communication templates to incorporate information in the way the regulations require,” says Knight.
“We also published our terms of business on our website to increase transparency for clients and introduced ‘behind the scenes’ activities to achieve consistency wherever appropriate, while continuing to tailor our advice service to individual client needs.”
The greatest concern our brokers have expressed is that changes in process and communications
to meet regulatory requirements might impact how quickly we can respond to clients, says Knight.
“Any significant regulatory change can be expected to affect the time things take to get done,” he says, “and sometimes our people need to take extra time to help busy clients understand the new disclosure information or find the insurance package details they are looking for in the new format”.
“Our team takes pride in their ability to respond quickly and professionally to meet client needs so this was the most important thing on their minds”.
As Rothbury Insurance Brokers settles into the new regime, the company is very focused on ways to improve and speed up our processes, says Knight, while continuing to meet the compliance requirements.
“We are listening to clients and using their feedback to prioritise what we focus attention on.”
The switch to the new regime was “far from painful” for insurer Pinnacle Life, says spokeswoman Jane Barron.
“We were well aware of the requirements of the new regime, having obtained our transitional license in early 2020,” she says.
“We had a plan, we stuck to it… (and) the change gave us the impetus to examine our operations
and make changes where required to ensure we continue to deliver good customer outcomes.”
Summerfield is cautiously optimistic about how the new regime will play out long term.
“In terms of future challenges, there are two I would call out,” he says.
“The first is full licensing, although anecdotal feedback I've seen from the few people who have already obtained their full licence is that it's not as difficult as they expected.
“The second is the pending conduct regime. That won't directly affect advisers but could have a significant indirect impact as insurers they deal with implement fair conduct programmes.
“It's too soon to quantify the exact impact as MBIE is currently consulting on changes to the Bill which would alter the efforts FAPs need to go to in overseeing advisers.”
