Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

Financial services firms warned against complacency over threat of cybercrime as expert warns of insurance risks


Financial services companies that do not take sufficient steps to address the risk of being exposed to cybercrime will find it difficult to obtain insurance that covers them for any damages or costs they incur from such incidents, an expert has warned.

Insurance law and data risk specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said businesses in the financial services (FS) sector can obtain "improved terms" from insurers selling data risks and cyber liability products if they engage with 'best practice' measures that reduce the chances of cybercrime occurring.

Birdsey was commenting after a major global accountancy firm reported that a number of FS companies appear to be "complacent" about the risk of being exposed to cybercrime.

PricewaterhouseCoopers (PwC) said that under a fifth of the 878 FS firms that responded to its 'Global Economic Crime Survey' said they had in place all five "cybercrime incident response mechanisms" it had "specified" in its survey. The findings demonstrate an apparent complacency by some FS firms to the threat of cybercrime, it said.

In its survey PwC had asked whether companies had "in-house capabilities to prevent and detect cybercrime; shut down procedures; [a] media & PR management plan; in house capabilities to investigate cybercrime; [and] access to forensic technology investigators".

"We expected most FS organisations to have cybercrime incident response mechanisms in place," PwC said in a new report (16-page / 782KB PDF) charting the results of its survey. "To our surprise, only 18% of FS respondents said that they had in place all five measures specified in our survey."

"It appears that some FS organisations are complacent about the risks that cybercrime poses, in spite of serious concerns about potential damage arising from cyber threats. However, our survey results highlight that the FS sector is slightly better placed when compared to other industries," it said.

"Over half of FS respondents have a media and PR management plan in place, nearly two thirds have shut down procedures in place, and over two thirds have an in-house capability to prevent and detect cybercrime," PwC said in its report.

Birdsey said that FS firms that fail to take steps to address the risk of exposure to cybercrime will face difficulty in obtaining insurance cover to underwrite the financial risks those firms could be exposed to in the event of an incident occurring.

"Insurers recognise the heightened risk and increased financial exposures presented by FS firms due to the inherent nature of data those companies hold and the level of costs involved in dealing with an incident," Birdsey said. "As a result, FS firms may find it harder to buy data risks and cyber liability insurance products."

"FS companies that apply for such insurance will find that their pre-incident processes and plans will be scrutinised and interrogated by insurers as they assess the potential exposures, likelihood of an incident and underwrite the risk," the expert added. "Those adopting best practice will find that they are more likely to be offered terms, with those terms in themselves likely to favourable, reflecting the relatively reduced risk and likelihood of an incident occurring."

"Taken to an extreme, those FS companies and firms that have none or few of the five of the PwC mechanisms in place may not be able to buy insurance cover or will be hit with more punitive terms. Businesses may want to also consider adopting additional best practices, such as engaging in due diligence and testing of their systems, as well as conducting a review of key contracts, such as with suppliers, outsourcing or hosting providers, in order to identify areas of risk and take action," Birdsey added.

In its report, PwC said that, after "asset misappropriation", cybercrime was the "second most common type of economic crime experienced by [FS] organisations in the last 12 months". However, it said that the results from the survey showed that many FS firms have more to do in terms of training staff to deal with cyber security issues.

"FS organisations have placed significant emphasis on cyber security related training and awareness programmes," PwC said in its report. "Only 29% of FS respondents didn’t receive cyber security training compared to 46% for other industries. This statistic is encouraging and suggests that FS organisations are being proactive. However, a lot more could be done."

"That nearly a third of staff in FS organisations have not received any cyber security related training is a significant concern," it added. "This is heightened by the ambiguity around the definition of cybercrime and general lack of clarity around responsibilities for managing cybercrime risks. It is important for FS organisations to ensure that staff and senior management understand cybercrime concerns and are equipped to tackle day-to-day cyber security as well as any crises."

PwC said that too many FS firms believe cyber security issues are an issue for IT departments to deal with, and recommended that senior management take "overall responsibility for managing cybercrime risks".

"It is therefore essential that senior management understand the potential risks and opportunities that the cyber world can present and ensure that there is clear accountability and responsibility within the organisation for dealing with these risks and opportunities," PwC said in its report. "It is also essential that the responsibilities go across business lines and operations so that cybercrime is seen as a holistic corporate responsibility and not just an ‘IT’ problem."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.