Cybercrime is a key business risk. According to the UK government’s latest cyber security breaches survey, four in 10 businesses report having experienced cyber security attacks in the last 12 months. Of these, one in five ended up losing money, data or other assets, while one-third reported being negatively affected in some way.
Businesses in the financial services sectors, including accountancy firms, are especially vulnerable to attacks because of the type and volume of data they collect, process and hold. This means all firms, whatever their size or structure, need to factor cyber risks into their business risk protection strategies.
From 1 September 2021, changes to the ICAEW’s minimum approved wording clarify the losses from cyber-related events that will not be covered under compulsory PII policies. This will make it easier for firms to understand what, if any cyber cover exists within their core PII policy, and whether they need to look for additional cover elsewhere.
ICAEW made the minimum wording changes as a response to a regulatory requirement on insurers to clarify the extent of cover for cyber-related claims in insurance policies.
Keeping public and consumer protection in the forefront of its response, ICAEW’s changes to the minimum wording have preserved existing cover for third party claims, and clarified that relevant first party losses with a cyber trigger are not covered. These first party costs include losses incurred by the insured firm itself, for example a firm’s costs related to investigating the cause of a cyber-attack.
“Firms can now better understand what cover is available under their compulsory PII policies,” explains Sarah-Jane Owen, PII and Regulatory Manager, ICAEW. “And because certain first party losses are definitely not covered, and it’s quite likely that firms suffering cyber-attacks will be incurring those losses, they may need to think about other types of cover, for example stand-alone cyber policies.”
Clarification in the market
“The fact that ICAEW has made this change aligns with what the wider market is doing,” says Edward Partridge, Senior Vice President, Head of Centre of Excellence, Marsh Commercial. The clarification in the market helps to remove some key issues that were affecting not only insurers but also policyholders.
“There was a contribution issue, for example,” explains Partridge. “So where one policy seemed to offer the cover and another seemed to as well, there would be an overlap. But one insurer might say it was not going to pay out, and then the other would say the same, which often made the claims process more complicated and meant it took a lot longer to settle.”
The changes also highlight the role that stand-alone cyber insurance can play in cyber-risk management. “It is critical that firms know this exists,” says Partridge, “and that it covers both first party and third party losses from cyber events.” These encompass everything from phishing, where firms or individuals are lured into handing over data, to ransomware attacks, where systems are held to ransom and data is frozen until firms pay to get their systems back.
The government’s cyber security breaches survey shows that phishing attacks remain by far the most likely event, with 83% of businesses that suffered a cyber event identifying these in the past year. This was followed by impersonation (where external attackers impersonate the organisation in emails or online), and viruses or other malware.
COVID-19 and the subsequent changes to working patterns have also exacerbated the risks faced by firms. Evidence from the government’s survey suggests that businesses have found it harder to administer cyber security measures during the pandemic as people work from home.
“If you think about people using personal devices to do business, and potentially operating outside the firewall, or working in a café where someone can look over their shoulder and see them typing in something confidential, the risks are clear,” says Partridge. “And these are all risks that are more alive than pre-COVID.”
“Being aware that specific cyber insurance is available and can protect you against these things is critical for businesses to understand,” he adds. “Malicious domains, phishing attacks, ransomware, malware, data harvesting are all absolutely established and covered. Examples of losses covered include investigation costs, specialist assistance in tracing and fixing cyber intrusions, costs relating to breach responses, and PR costs.”
“Firms often overlook the reputational harm caused by cyber-attacks,” he explains. “But a lot of stand-alone cyber policies give you access to a PR firm to help you manage the fallout from the event – not just repair financial loss from the event itself but manage ongoing damage and dangers to the business.”
Talk to your broker
“The fact that it will now be very clear to the policyholder that certain losses won’t be covered under PII will make firms think: ‘Hold on, there are exposures here that we need to be thinking about separately’,” says Partridge.
“If you have any doubts or questions about the likely exposures for your business, or are concerned about any potential gaps in cyber cover, a good broker will be able to talk you through the types of policy available to address the key risks,” advises Owen.
“There are a lot of proactive things that insurers can provide access to,” adds Partridge. Leading cyber insurers provide services such as cyber risk assessments, which involve undertaking a cyber audit of the business, asking questions about how it manages cyber exposures and what technical protections it has implemented. This will help the business understand where the gaps are and how to manage different risks.
There is a common misperception that cyber-attacks are only a threat to larger businesses. “We find there is very much a feeling that smaller businesses aren’t at risk from a cyber event,” notes Partridge. “Yet smaller businesses face similar exposures, and they might not be aware of, or managing, the risks as effectively as larger organisations.”
“A broker can be seen as an extension of your board,” he suggests. “We are your risk management partner, and with that we have an obligation to make sure we understand your business and exposures, and can make recommendations based on that information.”
A holistic approach to risk
ICAEW requires that firms in public practice and firms and individuals carrying on regulated activity have compliant PII. This is designed to protect the public interest, and protect firms against claims by clients and other third parties. However, given the changing risk landscape, firms may decide to take a broader, more holistic, approach to insuring themselves against key business risks.
The changes to the minimum approved wording for PII policies now make it clear the extent to which cyber risks are included and excluded. And while third party risks remain covered, firms now have a clearer idea of what areas of cyber risk, and potential associated losses, they may wish to protect themselves from through other policies.
In the current hard insurance market, whatever your specific business risks, you need to start early and prepare well as your renewal approaches. “Speak to your broker at the earliest opportunity, understand where your exposures are and where the risks might lie, act to cover any gaps in cover you identify, and be prepared to answer a lot of probing questions about your business,” advises Owen.
If you have any questions, email: firstname.lastname@example.org
Be the first to know when articles like this are released by following us on LinkedIn and subscribing to our monthly newsletter, Regulatory & Conduct News.