Insuring against potential data violations pays, according to lawyers, but it can’t be used in isolation to guard effectively against a potential fallout.
Luckily it’s not often one hears about personal data protection breaches at advice firms but they do happen.
And mistakes can be costly. Not only can firms be fined several millions of pounds under GDPR, they can also incur regulatory fines when breaching the FCA’s data security rules.
The good news is: mistakes can happen and firms typically aren't held liable immediately. The bad news: insufficient processes and controls can create more damage than a simple fine.
According to Richard Breavington, partner and head of cyber & tech insurance at RPC, advice firms are particularly vulnerable to data breaches when it comes to monetary transactions.
"In these situations, a common target for a threat actor will be to intercept communications regarding payment involved in the transaction and to ask for it to be re-directed to a fraudulent bank account," he says.
Typically the culprit is human error, he adds. "[Such] payment diversion frauds can follow from payment details not being double-checked through a separate source, such as phoning/video-conferencing a trusted number or address.
"It can also be human error that is the root cause of the initial access by the threat actor, through responding to phishing emails and/or failing to have properly configured systems in place."
But he stresses there is no requirement in the data protection rules that organisations must not have personal data breaches, rather they have a duty to try and prevent them as best as they can, and if they occur, to act accordingly.
Meeting claims criteria
In order for a valid claim to be brought under the GDPR, it must be established that there has been a breach of the requirements contained in GDPR and that such a breach has resulted in a loss.
One of the requirements, which is mirrored in the FCA’s expectations of regulated firms, is that appropriate security measures are put in place to prevent data breaches.
Fred Snowball, partner at Macfarlaines, says the regulatory guidance is clear: firms must take proactive preventative steps and can’t be reactive when it comes to data security.
He says: “The FCA...is focusing very much on business continuity and harm to consumers, whereas the Information Commissioner’s Office’s focus is slightly different, pretty similar, but slightly different in that it's looking at the harm to individuals' data rights under the GDPR.”
He explains: “The things that regulators will be looking at are have you got proper systems and controls for verifying data whenever it's transferred outside to make sure it's going to the proper parties to catch these kind of mistakes.
“On the cyber attack side, have you got proper IT protections, have you got disaster recovery plans, all that kind of thing.
“There is not an expectation that this should never happen, because I think there's an acceptance that in the modern world it's inevitable. But it's just making sure you've taken the logical steps to protect yourself and to try as hard as you can basically to make sure it doesn't happen.
“If an accidental data breach happens and you don't respond to that well, I think there's a big reputational risk there,” says Snowball.
Firms have an obligation to report data breaches to the ICO and typically the FCA as well, if certain tests are met and the risk posed by the breach warrants it.
This can attract a flurry of third party claims, the severity of which depends on the type of data and the extent of the breach.
The issues that we usually see are policies that aren't really up to scratch and are quite outdatedFred SnowballIn order to bring a claim the claimant must be able to prove they have suffered damage, but this does not necessarily mean financial loss, it can also mean things like distress.
Though Snowball believes the value ascribed to cases in the courts is currently “very low”.
“There's been a few comments from judges along the lines, essentially, that in the modern world people have to accept that this is a fact of life.
“And the courts are reluctant to accept in many of the kind of day to day cases, that someone suffered a sufficiently high degree of distress about all of this to be entitled to compensation.”
Breavington says when it comes to losses suffered financial advice firms may have greater vulnerability than other sectors.
This is because of the nature of the data they are holding on clients.
“In order to be able to provide financial advice, they are likely to be holding relatively sensitive data, including a variety of financial information and identity information,” he says.
“Such information could be misused by a malicious actor to carry out identity fraud or financial fraud, and any identity documents in scope might need to be replaced at a cost to the individual.
“Therefore, the nature of the information likely held by financial advice firms means any data breach could result in a greater amount of loss being suffered by affected individuals than organisations in other sectors.”
The lawyers add firms should remember that they are not just required to check their own systems and controls but those of their outsourced partners too.
Snowball says: “The sort of challenge that we see more often than not is,…how do you make sure with third party service providers within your supply chain that they are up to scratch as well.
“Because if you're sharing data with them, and they have a breach, the ICO and the FCA will be looking…to you to say, well, what did you do to make sure that these guys were up to scratch? That's a particular challenge.”
Conversely, Breavington says a third party could bring a claim against the advice firm if the latter is holding confidential data that is sensitive to the former.
"If that data is compromised or unavailable and that third party suffers loss, then there might be a contractual claim against the breached party, which is separate from, or additional to, any GDPR issues."
To give an example, he says the financial advice firm might process data that is needed by a corporate client to carry out its day to day functioning – such as invoicing customers or paying salaries to staff.
"If that information is unavailable or compromised, the client might suffer loss as it cannot carry out the function for which the data is needed, at least temporarily. That loss might form a claim by the client against the breached financial advice firm, depending on the terms of the contract between them."
Taking out insurance
Insurance can help guard against claims. Something, both Breavington and Snowball advise firms to take out.
“It's a sensible thing to do,” says Snowball, “it's such a significant risk to the business, both from a legal perspective, from a regulatory perspective, and from a reputational perspective, that it's logical that you would look to insure against that risk.”
This specialist insurance comes on top of professional indemnity insurance and is not mandatory, though more and more firms tend to have it, says Snowball.
There are several options for advisers, from covering just specific breaches such as cyber attacks, to a broader policy covering accidental breaches too.
Breavington says: “Depending on the terms of the policy, such cyber insurance could provide cover for potential claims arising out of data breaches but also give the policy holder access to technical forensic assistance, legal advice and PR firms to help when responding to a data breach.
“The expertise of these vendors would help minimise the fallout of a data breach generally whilst also minimising claims received in the wake of an incident.”
Insurance is one layer of what should be a multi-level defence mechanism to prevent incidentsNigel VincentBut the lawyers warn against blindly relying on the insurance.
"The issues that we usually see are policies that aren't really up to scratch and are quite outdated,” Snowball says.
"But the main thing is, are those policies really stress tested, are they regularly reviewed and kept up to date? I think that's probably one area where firms could do better on the whole.”
Nigel Vincent, data protection officer at Quilter, says the advice firm has cyber insurance in place because “this is where the greatest risk of mass data exfiltration, and therefore the greatest risks to customers lie.
"Ultimately, the decision is a risk-based decision on how much data and how sensitive the data that the business is processing is, and particularly how much distress could be caused to clients should the worst happen.
“Insurance is one layer of what should be a multi-level defence mechanism to prevent incidents, contain incidents when they happen and to be able to respond to any consequences."
To minimise the risk of data leakage Quilter has put in place a blend of technology and procedures.
"Though people will try to avoid making mistakes, they can become used to a process working a particular way and may overlook controls as they operate through their workload, particularly during busy periods,” says Vincent.
“On the other hand, automation is limited in its ability to respond to operational changes and needs, and can lack the checks and balances required to prevent errors.
“Respectively, these limitations can lead to errors such as misdirected emails and physical mailing errors which can compromise the confidentiality of client data. Conversely, manual and automated controls both provide protections against misuse.”
On balance, he says, “the automated option is becoming more prevalent and is often the only viable option.
“Humans are unlikely to be able to respond quickly enough to a cyber attack and would not be able to maintain the level of vigilance that tooling can offer."
carmen.reichman@ft.com
