With the use and dependence upon technology continuing to rise, what are the associated risks for Financial Institutions (FIs)?

Embracing new technologies and systems, means potential associated risks. However, FIs like most businesses, need to constantly review their systems and processes to improve organisational efficiencies. Being aware of potential cyber-related threats is key for any business and understanding there are other indirect threats that you should be aware of, for example, the geopolitical landscape. NotPetya and the Solar Winds 1 attacks were examples of how businesses that were not a direct target, suffered unintended consequences of Nation State cyber campaigns.

Cyber Threats

For FIs, the main cyber threats remain:

  • Data Breach, Malicious and Accidental: According to WTW proprietary data, most cyber claims suffered by our FI clients are Privacy Breaches, caused by either Unauthorised contact or Disclosure, or Malicious Data Breach, as the highest cause of loss 2 . For example, a malicious attack against a computer system to steal sensitive data, or an accidental breach of data protection legislation (e.g. General Data Protection Regulation (GDPR)) caused by employee error. These losses primarily concern the liability (settlement costs) arising from such breaches, but also include, among others:
    • Regulatory Fines and Penalties (where insurable at law)
    • Credit monitoring & Identity theft protection costs offered to impacted customers
    • Notification and Call Centre costs
  • Ransomware: Generally, Malware is intended to either exfiltrate information or funds; disrupt a business's operations; or to extort money. These are the key attributes and objectives of a Ransomware attack. Whilst during the Covid-19 pandemic, we saw a decline in Ransomware attacks, this does not appear to be consistent with Q1 of 20233 .Ransomware is seen to be one of the biggest cyber threats to a business, mainly due to the disruption it can cause, but also due to the significant costs involved.
  • Social Engineering: The theft of funds perpetrated via electronic communications is the third largest cause of loss for WTW FI organisations, accounting for 13% of all cyber related losses4 . Although the average size of loss has been substantially lower than Data Breach and Ransomware losses, Social Engineering events remain a significant threat to FIs. Employee training, including adherence to policies and procedures are key practices to establish robust defences.

What are the impacts of a cyber-event?

These are generally across most businesses:

  • Financial – ransom, costs, litigation, share price drop
  • Operational – functionality of services, restricted access, loss of data
  • Regulatory – potential penalties, investigations
  • Reputational – loss of confidence, loss of clients/customers

Each of these can have a significant impact.

So, what about insurance?

A cyber event (with no physical damage) will generally result in an insurance claim under a cyber policy, and/or a professional indemnity and/or crime policy – depending on two things, (1) the outcome of the event, and (2) the policy wording itself and breadth of coverage available – this can vary geography to geography. Loss of funds or theft of goods are typically covered by a crime policy (subject to terms and conditions), whereas the liability arising from a data breach would generally fall for cover under a cyber policy and/or a professional indemnity policy. There are options becoming available in the insurance market for a combined solution which Insureds may want to consider as part of their risk strategy discussions.

The fallout of a cyber-event can trigger other policies, such as a Directors & Officers (D&O) policy, particularly when there is a regulatory investigation targeted at a senior individual – you may recall the recent PRA enforcement action taken against the Chief Information Officer of a UK retail bank5. D&O policies may also be triggered where directors are the subject of a shareholder action in connection with a drop in share price as a result of such cyber-event.

Claims

The following graph, reflecting WTW proprietary data, provides a breakdown of FI Claims according to allocation of costs:

Allocation of Cyber Claim Costs

1351752a.jpg

It is worth noting that 45% of costs are categorised as "Insured Funded, above Limit of Indemnity" which gives an indication that the Limit of Indemnity purchased by some FIs, may be insufficient to cover a large portion of the total loss.

What are Insurers asking for?

When taking on a new risk, or even renewing an insurance programme, Insurers like to know what processes an Insured has in place to prevent cyber-related events from impacting their business operations. For example:

  • Do they undertake regular testing of restoration and recovery of key server configurations and data from back-ups?
  • Do they have an encryption policy in place?
  • Is Multi Factor Authentication (MFA) in place across the entire network for remote access?
  • Do they have a Business Continuity Plan which is reviewed and tested regularly.
  • Do they have a Privileged Access Management solution in place?

These are some of the questions which insurers will want to have answers to in order to assess what defences insureds have in place and to better understand their risk exposure.

Conclusion

In conjunction with our proprietary data, other data sources6 also suggest that a key cyber risk for FIs is a Privacy Breach, whether as a result of human error, or malicious derived. This can lead to third party claims, and associated costs. Talk to WTW or your Claims Advocate to discuss whether your insurance program and scope of coverage is fit for your needs.

Footnotes

1. Client alert: SolarWinds cyber incident

2. WTW Crime FI Claims Report 2023

3. Global Cyber Attacks Rise by 7% in Q1 2023

4. WTW Crime FI Claims Report 2023

5. PRA enforcement action under SM&CR – the first of its kind

6. Cyber services snapshot latest trends

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.