By Chris Davies, Executive Director & Co-Lead of IFA Business Unit at Howden
The way many of us work has seen a fundamental shift since the onset of the pandemic. As we transition to the ‘new normal’, hybrid working is being hailed as the future of the workplace. For example, more than 80% of UK financial services firms expect to take a hybrid approach to work going forward. Many workers are reaping the benefits of reduced commutes, greater work-life flexibility and office spaces focused on collaboration, socialising and training.
However, with hybrid working also comes new cyber security threats. Working across a mix of private and public servers, accessing company facilities remotely, and the greater onus on employees to adhere to cyber policies all leave firms open to cyber-attacks. In addition to this, the general development of technology and the world’s reliance on data has led to an expanding scope of cyber exposures. The number of ransomware attacks worldwide spiked by 170% between Q1 of 2019 and Q4 of 2020, and the severity of incidents has been increasing as well. While all industries are exposed to cyber threats, the volume of sensitive material handled by financial advisers means that cyber security is paramount.
Now add to the pot ‘silent cyber’. Silent cyber is the potential cyber exposures within traditional property or liability insurance policies, where cyber coverage is neither explicitly excluded nor clearly included. As one would expect, this can result in coverage which may be ambiguous, increasing the risk of disputes between policyholders and insurers or cover not matching policyholder expectations when cyber-attacks arise.
Recently, Lloyd’s of London raised concerns that silent cyber causes unexpected risk to insurers’ portfolios. To rectify this, regulators now require insurers to put action plans into place to reduce ambiguous exposure, clearly excluding or affirming coverage within their policies. Changes are being introduced in a number of phases, including PI and other liability policies having commenced on 1 January 2021.
How has this impacted the IFA and mortgage broker markets?
Excluding or affirming cyber cover sounds simple in theory. However, in practice, it has been far from plain sailing. Given the mandate and the short timeline provided by Lloyd’s, insurers’ response has generally been to exclude rather than confirm cover. As such, advice firms risk being unprotected from cyber breaches unless they now have separate cover in addition to their Professional Indemnity (PI) policy.
Policyholders are now likely to find silent cyber exclusions applying to renewals of their PI policies. Precise changes will vary, but in a very general sense, there are areas you can expect cover to be excluded for. Third party claims and any costs in reconstituting or recovering lost or damaged documents and data are likely not to be covered. This includes loss directly arising from a Cyber Act, the insured’s computer system failure or the receipt or transmission of a computer virus. Loss arising from failure or interruption provided by an external provider or loss for an actual or alleged breach of data protection laws are also unlikely to be included.
What should you do?
Data has now replaced oil as the world’s most valuable resource. Individuals and companies of all sizes, in every industry, are increasingly relying on technology and data in some way or another. A cyber breach can affect the ability to operate, cost millions, and damage long-term reputation. Financial advisers, in particular, sit on a considerable amount of personal data relating to individual’s wealth and financial situations that can make them a target. The Pandora Papers has been a high-profile example of this. Client led businesses are increasingly earmarked by criminals due to the amount of personal data which can be harvested from them.
With the new changes coming into force around silent cyber, it is important to carefully review your current policies and examine any exclusions proposed to avoid getting caught out. We’d recommend examining this with your broker, to ensure that policies are fully understood and not overly broad.
The range of cyber risks the financial advice industry now faces, particularly as many of us transition to a hybrid working model, can’t be ignored. A solid cyber insurance policy is vital to help to minimise and mitigate risks. As cyber risks increase and cyber cover is reduced in PI policies, it is more important than ever to consider a separate cyber insurance policy to maintain appropriate cover.