ASIC expects all AFSL holders to take reasonable steps to protect the personal information it holds from misuse and loss and to put mechanisms in place to prevent a breach of personal information belonging to clients or customers. For most firms, this means establishing a cyber liability policy and engaging an insurer to help with this.
However, as Australia’s cyber liability insurance market is still evolving and insurers are still coming to grips with the risks, there’s currently a lot of variation between premiums – sometimes by as much as 500 per cent for the same risk. Some insurers are just looking for quality and will price accordingly, whilst others are simply providing basic cover and looking for scale.
So how do you know what your cyber liability policy should cover, and at what price?
Cyber liability policies deal with first party loss (your loss), third party loss (your liability for losses suffered by third parties) and multimedia liability. We will examine each in detail.
First Party Losses:
Privacy notification and expenses coverage:
- Costs associated with notifying customers and regulators, including actual notification, changing account info etc
- Legal services to determine obligations under contract
- IT forensic investigation costs to determine the existence and/or scope of the breach
- Public relations consultancy expenses
- Credit monitoring and call centre services for affected individuals
Digital asset/data recovery expenses and loss of business income:
- Costs associated with restoring, re-collecting or replacing data
- Reasonable and necessary costs of retaining specialists to determine the scope of breaches and damage to networks
- Coverage for business interruption and extra expenses required to continue operating due to an interruption, degradation or delay in systems
- Reasonable and additional operating expenses, i.e. rental of IT equipment etc
Extortion cover:
- Losses resulting from extortion, including payment of ransom and specialists technical assistance
Given the reliance by IFAs on third party service providers, it is critical to understand policy definitions and extensions. Coverage must extend to issues with third party service providers.
It is critical to check your definition of third party service provider. Ensure the definition is linked to the definition of a computer network which extends to a network owned, operated and controlled by the Insured or operated by a third party service provider.
Third Party Losses:
Security and privacy liability:
- Liability for claims by third parties for data breaches (including theft/unauthorised disclosure), transmission of malicious code, breaches of contracts (confidentiality agreements) and other security threats
- Regulatory defence costs, including fines and penalties
Multimedia Liability:
Cover for losses arising out of multimedia activities (defamation, libel/slander etc.). Coverage in some cases can extend beyond electronic publishing, i.e. print form.
In short, not all cyber policies are created equally. To find a policy and insurer that’s right for your business make sure you:
- Look for policies with broad first party triggers around a privacy breach, breach of privacy regulations, cyber event
- Look for policy with definition of computer systems that extend to third party service providers
- Does the insurer have a dedicated incident response hotline and team of vendors to respond and work with you at the time of an incident and/or claim?
Oscar Martinis is a senior partner at McDougall Kelly and Martinis, a specialist insurance brokerage that deals exclusively with financial services participants including IFAs, fund managers, hedge funds, listed investment companies, private equity and venture capital firms and research houses. MKM Partners is one of Australia’s leading professional indemnity, directors and officers liability, public offer of securities and cyber liability firms.
The opinions expressed in this content are those of the author shown, and do not necessarily represent those of No More Practice or its related entities. All content is intended for a professional financial adviser audience only and does not constitute financial advice. To view our full terms and conditions, click here.