Banks and other financial organizations - including those in wealth management - may not have enough protection in place in the event hackers steal data or disrupt businesses, the insurance firm argues.

(This article has already appeared on sister publication WealthBriefing, but is being repeated on Family Wealth Report given the global relevance of the points made.)

When an insurance firm says firms or persons aren’t getting enough cover to protect against disaster, it is entirely understandable to take such comments with a pinch of salt. But as the litany of tales about cybercrime extends ever longer, maybe it is time to take such warnings seriously.

This is the advice from Sarah Stephens, who is head of cyber at JLT Specialty, the global insurance brokerage that is part of the Jardine Lloyd Thompson Group. At present, firms buy professional liability insurance to cover against negligence claims, but there is, Stephens says, a gray area of uncertainty about how or whether this applies to hacking attacks, such as whether it covers the costs of remedying an attack and telling clients there has been a breach.

“Banks and others have to ask, are they comfortable about all this ambiguity?” she said in an interview with this publication. “There is an anxiety from banks who are facing questions from boards and from regulators about what they are doing on cybersecurity.”

There is little doubt that firms, including those in the wealth management sector, are worried about hackers. A recent survey by LexisNexis Risk Solutions and the British Bankers’ Association, for example, showed that changing criminal methodologies, including criminals’ technical savvy, is by far the single biggest anxiety among compliance professionals.

There is a compliance angle: losses of data and other harms caused by cybercrime, if it leads to a bank being punished by regulators, could make it less likely that talented people will want to work in compliance roles – hardly the sort of outcome regulators will want. The same survey found that more than half (54 per cent) of compliance professionals it polled would choose another career path if the opportunity arose in light of the increased personal liabilities. (That survey was based on 198 responses in the UK sector between May and June, covering 30 banks.)

“I had a financial institution in the US with a large data breach,” Stephens said, adding that there was a class action suit from consumers. One coverage issue in the professional liability policy was that some of the claimants were not existing clients at the time of the breach. The professional liability insurance only applied to services provided to customers, so in some cases like this, liability insurance will not cover payouts to applicants, only existing clients.

“It is likely many companies have lots of data not related to professional services that is therefore not covered by their existing insurance policy,” she said.

A liability policy will not necessarily cover the costs of an investigation into a data breach, or the cost of communicating that problem to consumers and third parties, she said. For instance, in the case of the affected telecoms firm, TalkTalk, it has spent £35 million ($52.2 million) on communications issues after the recent breach.

Cyber threats can take a number of forms. In Asia, for example, the Hong Kong Monetary Authority regularly warns the public about fake websites set up to grab private financial details; last year, there was a huge cyber attack on JP Morgan in the US, affecting 76 million accounts (although no actual data or money was stolen); hackers have even attacked the US Internal Revenue Service. In the UK, a report by the Bank of England, issued at the start of December last year, showed that there there has been a sharp increase in fears among financial firms about hackers. The share of respondents to the BoE’s Systemic Risk survey highlighting cyber risk as a key concern was 46 per cent in the second half of 2015 - up from 30 per cent in the first half of the year.

A UK government survey estimated that in 2014, some 81 per cent of large corporations and 60 per cent of small businesses suffered a cyber breach. The average cost of a cyber-security breach is £600,000-£1.15 million for large businesses and £65,000-£115,000 for SMEs (source: Association of British Insurers).

Lack of cover

The question, however, is whether this increased anxiety is translating into insurance coverage to deal with the fallout of an attack.

“Many financial services companies are probably under-insured,” Stephens said.

In the UK, coverage across all industries against cybercrime is thought to be lower than 10 per cent; in the US, it is probably up to half. A reason for the gulf is that in the US firms must report data breaches and losses of data to clients; in the UK, there is currently a voluntary code of practice around this. However, this is set to change following the new EU General Data Protection Regulation (GDPR), under which companies can be sanctioned if they fail to report cybercrime to national authorities. This directive may herald a sea-change in cyber cover for UK businesses.

“We have had five or six new insurance company 'cyber placements’ this year and have had four in the last two months,” Stephens said.

Asked about the dangers of “panic-buying” insurance, Stephens urges clients to take a considered approach: “People need to be careful, rather than rush in…we see potential for a lot of mis-selling of cyber insurance.”

Firms should consult insurers, brokers and others about whether their existing liability policies are sufficient. “Look at what you have and see what needs to be done. This needs to be made a board-level agenda item and not just something for the IT department,” Stephens added.