How can your practice defend itself against a possible cyber incident?
It is becoming increasingly common to hear mention of the names of professional services firms in the press in connection with a cyber breach incident. Cyber attacks have become a fact of life, highlighting the ever-evolving challenges that all professional services firms need to meet.
Preserving confidentiality is a core professional duty, and a failure to do so can lead to a number of exposures. Professional services firms, including accountants and auditors, are often viewed as good targets for hackers, due to the wealth of sensitive confidential data they hold and because firms can be perceived to have less sophisticated data security than clients in, for example, the financial services and healthcare sectors.
A cyber breach can occur due to a number of factors - for example: an employee opening a dubious attachment to an email or responding with passwords or other security information to a phishing attack, the introduction of malware via a third party supplier's system, or the failure to keep software up to date leaving vulnerabilities in the system open to exploitation. It can be more difficult for smaller firms to protect themselves from attack, as they do not have the same resources to invest in cyber-security defences and training as do larger organisations.
The UK has not yet had anything like the claims exposure from cyber events that has been seen in the US. However, that may change following implementation of the General Data Protection Regulation (GDPR) in May 2018.
How are firms exposed?
First party losses
The aftermath of a cyber breach is unpredictable and depends on the nature and extent of the breach, the information compromised and the effectiveness of containment and recovery. A firm may incur first party costs/losses in connection with any or all of the following:
At their worst, cyber breaches can have catastrophic consequences for the subject of the attack. It is often reputational damage which can have the most significant impact, as a loss of trust from clients (whether justified or not) can be disastrous if widespread.
In addition firms may find themselves subject to claims from third parties and regulatory action.
Clients may make claims against professional firms which are unwittingly caught up in cyber frauds. The most common examples we have seen have been claims by clients against law firms. A number have been subject to so-called ‘Friday afternoon frauds’, where a fraudster dupes the firm into sending its client’s money to the fraudster (often through falsified email communications). Claims arising from these events usually take the form of a claim for breach of trust, and can be very difficult to defend.
Claims of this sort usually relate to the professional firm paying client money to a fraudster. However, it may also be possible for a client to sue for negligence in other circumstances. For instance, it might be possible to make out a claim if a professional firm’s IT security were to be unreasonably weak and that allowed hackers to send the client falsified bank details, purportedly from the professional firm, leading to the client unknowingly paying its money to fraudsters.
If a cyber-attack results in a loss or disclosure of data, claims may be made by the owners and/or subjects of the data. For example, claims might be sought for compensation under the data protection legislation; there may be breach of confidence claims, breach of contract claims – for example breach of an express or implied term that data would be stored securely - or negligence claims for the failure to take reasonable security precautions.
Regulatory action following a cyber event might relate to a failure to protect confidential information or a failure to notify affected individuals in compliance with laws or regulations.
ACCA – confidentiality is one of the key principles of the ACCA code. Whilst it is the case that even the strongest and most sophisticated of systems and controls employed to prevent cyber attacks will not be water-tight, it may be that a breach following a failure to take even the most basic steps to secure client information might constitute misconduct and therefore render members liable to disciplinary proceedings. Other regulators have taken disciplinary action, including imposing fines, for failing to take reasonable steps in relation to preventing breaches.
Information Commissioner’s Office (ICO) – one of the key principles of the GDPR in the context of cyber security is Article 5f which states that the firm must have appropriate security measures in place to protect personal data. We have seen fines imposed by the ICO for security failures by professionals.
The role of insurance
Professional indemnity insurance may provide some insurance cover in the event of a cyber breach. However, there may be significant gaps in the cover provided in relation to a number of the exposures outlined above. In particular, a standalone PII policy will not usually provide cover for first party losses, such as the cost to the firm of identifying and fixing the security issue.
In contrast, cyber liability policies have a built in response protocol in order to respond quickly and effectively to a data breach. This is usually led by a breach response coordinator, who will organise the forensic response, instructing third party suppliers (such as PR firms and credit monitoring services), considering notification obligations to regulators and individuals (if appropriate) and dealing with subsequent third party claims.
The cover provided under cyber policies is typically split into three main parts: (1) first party losses; (2) breach response costs; and (3) third party losses. Crucially, cyber policies typically provide cover for the following:
Cyber policies also often have a lower self-insured retention or deductible than may be found in a PII policy.
However, there are some important exclusions under cyber policies. Reputational damage is not covered. Cover is typically limited to the management of reputational issues but not for the actual harm. Cyber policies also usually operate to restore systems but not to improve them, which may not be of use if a serious vulnerability has been exposed.
Policies also typically exclude the following:
Therefore, if commercially sensitive data is released into the public domain, the financial consequences for the insured (which may be severe) are unlikely to be insured.
The cybersecurity landscape is constantly changing and is increasingly sophisticated. In addition, changes in the way firms work, such as agile working, impact upon the risks that firms face in keeping data confidential. Set against changes to data protection regulation and threats of litigation, there is an increased need for firms to assess their cyber risk and consider holding standalone cyber insurance as part of a firm policy to detect, prevent and respond to cyber events.
Examples of cyber incidents
Ian Peacock – partner, Clyde & Co LLP on behalf of Lockton Companies LLP
If you have any questions or would like to discuss cyber insurance, please contact Roselin Ali or Catherine Davis at Lockton Companies LLP on 0117 9065057 or ACCAaccountants@uk.lockton.com.