In conversation with Robert Morris (Bluefin)
We are very grateful to Robert Morris (ACII) for making time to share his observations on Cyber Crime. Robert is an Account Director in Bluefin Professions. Robert has been working in the insurance industry for over 25 years and specialises in the placement and servicing of professional practices insurance requirements in particular Professional Indemnity and Cyber liability covers.
To what extent do standard professional indemnity policies provide cover for loss or damage caused by cyber crime?
This does vary from insurer to insurer but ordinarily any Cyber cover provided under a Professional Indemnity policy may require the claim trigger to be as a result of a firm breaching their professional duty whilst transacting business electronically. Any Cyber cover provided is usually for a sub-limit below the standard limit being provided nder the policy. Usually the cover provided will be “third party” i.e. for losses affecting clients by a firm’s actions, although some insurers do provide some first party cover for example costs in repairing their systems as a result of an attack.
What additional protection is afforded by a cyber fraud specific policy?
A Cyber specific policy can include cover for Cyber incident response costs, including IT forensics, legal, breach notification and crisis communications, Cyber crime (including social engineering) Cyber extortion, System damage, System business interruption, Cyber and privacy liability and reputational harm cover.
When buying a specific Cyber insurance policy, you are buying not only a product but also a service. Most Cyber insurers provide a 24/7 incident response service which gives policyholders access to a specific helpline to call to assist them in identifying, responding and managing any incident. Cyber specific policies also provide both first and third parties covers i.e. losses affecting both the firm and their clients. If for example a firm has lost or compromised their client's data, they may find themselves exposed to claims from both the individual affected and their respective national supervisory authority. Under the new GDPR Regulations coming into force in May this year both the individual (if the breach is a high risk to the individual) and the authority have to be notified by a firm within 72 hours of becoming aware of the breach and could then face a fine of up to £20M or 4% of turnover (whichever is greater) from the authority for serious breaches.
From a risk management perspective, what practically can professionals do to seek to reduce the risk of suffering loss as a consequence of cyber crime?
A large number of businesses currently rate Cyber risks and data security as their top operation risks due to the growing number of Cyber attacks combined with the new GDPR regulations in May this year. Having a robust Risk Management regime embedded within a business, supported by senior management, in addressing the risks to their information assets may not stop all Cyber attacks but will help in dealing with them to minimise the impact. Buying a Cyber insurance policy is only a small component on a firm’s overall management of Cyber risks. In addition to a firm’s own risk management procedures, most Cyber insurers will provide a raft of risk management advice in addition to the actual policy cover and service they provide.
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.