Cybercrime is a key business risk and those in audit and accountancy firms are especially vulnerable to attacks because of the type and volume of data they collect, process and hold. This means that all audit firms, whatever their size or structure, need to factor cyber risks into their business risk protection strategies.
Although cyber risks and security are front of mind for many organisations, cyber insurance is often overlooked. During recent years, there has been a growth in what is referred to as ‘silent cyber’ exposure, raising concerns about how well providers and buyers of insurance understand the extent of policy cover and the associated risks.
Professional indemnity insurance (PII) policies have not always made clear the position on cyber coverage. Traditionally, cyber coverage was neither explicitly included or excluded, which could lead to coverage disputes and create problems for insurers and the insured. To clarify the extent to which PII policies cover cyber-related claims, ICAEW changed its minimum approved wording for PII.
As cyber risks are evolving and increasing, it’s important for audit firms to ensure that they have the right protection, including cyber-related insurance, and to understand what ICAEW’s minimum wording changes mean.
From 1 September 2021, changes to ICAEW’s minimum approved wording clarify the losses from cyber-related events that will not be covered under compulsory PII policies. This makes it easier for firms to understand what, if any, cyber cover exists within their compulsory PII policy and whether they need to look for additional cover elsewhere.
ICAEW made the minimum wording changes as a response to a regulatory requirement on UK insurers to clarify the extent of cover for cyber-related claims in insurance policies.
Keeping public and consumer protection in the forefront of its response, ICAEW’s changes to the minimum wording have preserved existing cover for third-party claims and clarified that relevant first-party losses with a cyber trigger are not covered.
These first-party costs include losses incurred by the insured firm itself: for example, a firm’s costs related to investigating the cause of a cyber-attack. As certain first-party losses are definitely not covered and it is quite likely that firms suffering cyber-attacks will be incurring those losses, firms may need to think about other types of cover, for example, stand-alone cyber policies.
Firms can learn more about this minimum approved wording change and its implications for firms on the ICAEW website.
Information on what is typically included in cyber insurance cover and hints on finding the right cover for your firm.
In March 2022, a Technical Advisory Service Helpsheet was published to provide guidance to ICAEW members on PII.
Resources from ICAEW’s Cybercrime Week 2021 are available. They include articles, podcasts, videos and webinars on cyber threats, cyber hygiene, fraud, response and recovery, people and culture.
Audit & Beyond
This article was first featured in the May 2022 edition of Audit & Beyond.