Embracing new technologies and systems, means potential associated risks. However, FIs like most businesses, need to constantly review their systems and processes to improve organisational efficiencies. Being aware of potential cyber-related threats is key for any business and understanding there are other indirect threats that you should be aware of, for example, the geopolitical landscape. NotPetya and the Solar Winds [1] attacks were examples of how businesses that were not a direct target, suffered unintended consequences of Nation State cyber campaigns.
For FIs, the main cyber threats remain:
According to WTW proprietary data, most cyber claims suffered by our FI clients are Privacy Breaches, caused by either Unauthorised contact or Disclosure, or Malicious Data Breach, as the highest cause of loss [2] . For example, a malicious attack against a computer system to steal sensitive data, or an accidental breach of data protection legislation (e.g. General Data Protection Regulation (GDPR)) caused by employee error. These losses primarily concern the liability (settlement costs) arising from such breaches, but also include, among others:
Generally, Malware is intended to either exfiltrate information or funds; disrupt a business’s operations; or to extort money. These are the key attributes and objectives of a Ransomware attack. Whilst during the Covid-19 pandemic, we saw a decline in Ransomware attacks, this does not appear to be consistent with Q1 of 2023[3] .Ransomware is seen to be one of the biggest cyber threats to a business, mainly due to the disruption it can cause, but also due to the significant costs involved.
The theft of funds perpetrated via electronic communications is the third largest cause of loss for WTW FI organisations, accounting for 13% of all cyber related losses[4] . Although the average size of loss has been substantially lower than Data Breach and Ransomware losses, Social Engineering events remain a significant threat to FIs. Employee training, including adherence to policies and procedures are key practices to establish robust defences.
These are generally across most businesses:
Each of these can have a significant impact.
A cyber event (with no physical damage) will generally result in an insurance claim under a cyber policy, and/or a professional indemnity and/or crime policy – depending on two things, (1) the outcome of the event, and (2) the policy wording itself and breadth of coverage available – this can vary geography to geography. Loss of funds or theft of goods are typically covered by a crime policy (subject to terms and conditions), whereas the liability arising from a data breach would generally fall for cover under a cyber policy and/or a professional indemnity policy. There are options becoming available in the insurance market for a combined solution which Insureds may want to consider as part of their risk strategy discussions.
The fallout of a cyber-event can trigger other policies, such as a Directors & Officers (D&O) policy, particularly when there is a regulatory investigation targeted at a senior individual – you may recall the recent PRA enforcement action taken against the Chief Information Officer of a UK retail bank[5]. D&O policies may also be triggered where directors are the subject of a shareholder action in connection with a drop in share price as a result of such cyber-event.
The following graph, reflecting WTW proprietary data, provides a breakdown of FI Claims according to allocation of costs:
It is worth noting that 45% of costs are categorised as “Insured Funded, above Limit of Indemnity” which gives an indication that the Limit of Indemnity purchased by some FIs, may be insufficient to cover a large portion of the total loss.
When taking on a new risk, or even renewing an insurance programme, Insurers like to know what processes an Insured has in place to prevent cyber-related events from impacting their business operations. For example:
These are some of the questions which insurers will want to have answers to in order to assess what defences insureds have in place and to better understand their risk exposure.
In conjunction with our proprietary data, other data sources[6] also suggest that a key cyber risk for FIs is a Privacy Breach, whether as a result of human error, or malicious derived. This can lead to third party claims, and associated costs. Talk to WTW or your Claims Advocate to discuss whether your insurance program and scope of coverage is fit for your needs.