The Grinch who stole the Reserve Bank’s Christmas

On Christmas Day last year, the Reserve Bank of New Zealand suffered a cyber attack. The attack involved a malicious actor gaining access to a third party file sharing application named Accellion FTA, which the Reserve Bank used to store and share clients’ sensitive information. That person downloaded information from the application, some of which was personal and sensitive, such as personal email addresses, dates of birth and credit information.

The Reserve Bank responded to the breach by patching and securing the application, identifying the organisations and individuals affected and offering them advice and support from a third party specialist. The Reserve Bank also appointed KPMG to conduct a review of its systems and processes.

The attack itself was fairly typical of ‘data breach’ incidents in which a malicious third party gains access to confidential data held on a firm’s systems. A victim of such an attack may suffer loss and damage in a number of ways. The Reserve Bank, for instance, will have incurred the costs of dealing with the attack and the investigation that followed. It may have incurred liabilities to persons who suffered loss as a result of their information being stolen. A commercial firm in its position might also suffer a loss of profits as the data loss hampers its ability to conduct business and its reputation is damaged. It might also become subject to regulatory action and incur defence costs and fines or penalties.

Insurance policies

Insurance policies deal with the different types of loss that may arise from a cyber event, whether malicious or otherwise, in complex and diverse ways. Different policies may respond to different types of loss arising from the same event. Some types of loss may fall through the cracks and not be covered by any policy, and others may be expressly excluded. In some circumstances, there may be double insurance as more than one policy provides cover, in which case terms providing for double insurance may limit cover.

Some types of loss may fall through the cracks and not be covered by any policy, and others may be expressly excluded.

What does Cyber insurance cover?

Policies described as providing Cyber insurance may not provide cover as broad as their name might suggest, as they do not ordinarily provide cover for all forms of loss resulting from a cyber event.

Typically, Cyber policies will provide cover for internal and external costs that a firm or organisation is obliged to incur to deal with a cyber event. These will often include:

• the cost of expert help to manage, cure and investigate the event and its consequences to understand what happened, what data is affected, and what remediation action is necessary
• the cost of urgent legal support to understand and comply with legal obligations arising out of the event, such as notifying regulators, notifying persons whose data has been compromised, and dealing with claims and complaints
• public relations costs
• data restoration from backups
• ransom or extortion costs

Cyber policies may also include cover for the following costs and liabilities:

• liabilities and losses resulting from computer crime, such as misdirected payments – this cover is often expensive and sub-limited (i.e. with a lower cover limit than the main policy limit)
• business interruption losses and expenses resulting from system downtime caused by the event, response, and investigation
• defence costs, penalties, and fines resulting from the event and any consequential regulatory breaches
• contractual penalties imposed by credit card issuers
• digital media claims, such as claims arising from defamation, misuse of intellectual property

However, some Cyber policies do not include cover for the following:

• losses, whether of the insured’s own funds or those of a third party, resulting from a misdirected payment – such as where the insured is tricked by a forged email into transferring funds to a fraudster’s account (cover is sometimes available for this loss by way of an endorsement but it is usually expensive and sub-limited, as insurers are aware that losses of this nature are common and are often expensive)
• damage to the insured’s own computer system from normal material damage risks such as fire, flood etc – unless included in a policy endorsement
• loss caused by a person who was authorised to access the system – an important limitation
• benefits, such as future discounts, provided to the insured’s customers to apologise for the event and provide limited compensation
• losses resulting from a system failure that is not caused by a third party
• losses from natural disasters
• fines and penalties that do not result from a breach of data protection laws

What other policies may provide relevant cover?

Professional Indemnity insurance

Professional services firms and some other service providing entities will normally hold Professional Indemnity insurance to cover them for liabilities they incur from breaches of their professional duties.

These policies may provide cover for liabilities arising from a cyber event if the event constitutes a breach of a professional duty. The following are examples of breaches that may result from a negligent failure to keep a cyber system properly protected or otherwise breach a professional duty:

• breach of confidence, such as when sensitive client information is disclosed or published, resulting in losses to clients
• conduct by the firm’s employees using social media or another cyber platform, such as breach of confidence or brand damage
• misdirected funds, such as when a professional service provider actions a payment request from a fraudster who has gained access to the professional service provider’s email system (this type of loss is increasingly excluded from cover or limited)
• loss of important client data
• breach of privacy from a cyber event (which may be from a policy extension)
• liabilities resulting from breach of intellectual property rights caused by a cyber event (which may be from a policy extension)
• transmission of a virus or other malicious code resulting from a cyber event

This cover is often important because Professional Indemnity policies typically have higher coverage limits than specialist Cyber policies or other forms of insurance.

Fidelity and Crime insurance

Some firms and organisations have specialist Fidelity and/or Crime cover which offer protection from costs and liabilities arising from criminal actions by employees or third parties respectively. This may include cover for the following cyber-related losses:

• criminal cyber breaches by employees who steal client data
• theft by employees who access the firm’s systems to learn of transactions and use forged emails to arrange fraudulent bank transfers or otherwise steal the firm’s or its customers’ assets (often excluded or sub-limited)
• intentional damage to the firm’s or its customers’ data
• ransom demands relating to the firm’s or its customers’ data

Statutory Liability insurance

Many firms and organisations hold insurance against fines and penalties imposed as a result of criminal or regulatory breaches, including breaches that result from cyber events. These may include:

• fines imposed for privacy breaches
• fines or penalties under applicable industry regulatory schemes, such as financial services regulation, resulting from a failure to deliver regulated services or a breach of client confidentiality
• defence costs for the above

Directors and Officers insurance

It is possible to imagine circumstances in which a cyber event results in a claim against a company’s directors for breach of their duties to the company. Such a claim could be made, for instance, where the directors had not paid sufficient heed to the risk of loss arising from a cyber event and allowed it to occur, resulting in loss – possibly catastrophic – to the company and its shareholders.

What important exclusions exist?

Many insurance policy suites do not provide cover for important cyber-related risks. These include the following:

• Some policies do not cover losses from broad cyber attacks that do not target a specific firm or organisation or its cyber systems provider, such as a broad attack upon commonly used applications or software
• Some policies do not cover the insured firm or organisation’s own lost revenue or profits, although they may offer this as an optional extension
• Many policies exclude cover for losses arising from misdirected payments arranged through cyber fraud, or provide only very limited cover

What are some examples?

• A fraudster obtains access to a firm’s email system through a ‘phishing’ email to which an employee unwittingly falls victim. The fraudster learns that a major transaction is about to take place and uses the employee’s emails or a similar email address to arrange for the payment of client funds to be made to the fraudster’s account. The following policies may provide some cover (subject to exclusions, which are increasingly common for this type of fraud): Cyber, Professional Indemnity, Crime.
• A cyber criminal ‘hacks’ into a poorly defended system and obtains access to sensitive client data which is then published on the ‘dark web’. The data includes sensitive client information that results in clients suffering financial loss and personal information that embarrasses individuals. The following policies may provide cover: Cyber, Professional Indemnity, Crime, Statutory Liability.

What do we recommend?

Organisations should consider, with their insurance brokers or legal advisers, how their policy suites will respond to cyber risks and whether there are any material gaps in cover. It may be helpful to consider some of the examples outlined above and assess whether they would be covered, which policies may provide the most appropriate cover and whether any exclusions or sub-limits on cover may apply. Extensions to cover may then be sought where appropriate.

Read Cover to Cover: Issue 22