The hyperbolic ‘Big Bank Risk’ headline of the lead article in last Monday’s Gleaner grabbed my attention. The first sentence said a veteran attorney-at-law was calling for the Jamaican Bar Association to convene an urgent meeting with Finance Minister Dr Nigel Clarke.
The meeting was “to find solutions to safeguard lawyers against the potential financial risk of losing clients’ funds in banks through fraud”.
I was baffled by the fact that the meeting was not requested with the Insurance Association of Jamaica, the body representing institutions that assume risks from businesses, individuals, professionals like lawyers and doctors, and others, or the Jamaica Insurance Brokers Association, the entity that speaks for brokers.
Surprisingly, neither the Bank of Jamaica, the regulatory agency for commercial banks, nor the Financial Services Commission, the regulator of insurance companies, other non-deposit-taking institutions and brokers were among the proposed invitees. Even though “the all things finance buck” stops with Dr Clarke, he is not in the business of finding solutions to safeguard lawyers or other groups where market solutions exist. Insurers and brokers are.
In addition to fraud, several kinds of risks associated with lawyers’ responsibility as trustees of clients’ funds that are deposited with banks were listed in the article as social engineering; hacking incidents at commercial banks where customers’ accounts are emptied; legal liability arising from losses associated with the banks’ inability to secure funds for which lawyers are custodians; and limited protection offered by the Jamaica Deposit Insurance Corporation.
Fraud is a big-ticket item. My Internet browser listed 74.7 million items on the subject. ChatGPT, the natural language processing tool driven by artificial intelligence technology, listed the following types of bank fraud locally and around the world as:
1. Identity theft: Criminals steal personal information, such as social security numbers or bank account details, to open accounts or take out loans in someone else’s name;
2. Credit card fraud: Criminals may use stolen credit card information to make unauthorised purchases or cash withdrawals;
3. Cheque fraud: This involves creating or altering checks to withdraw funds from someone else’s account;
4. Phishing: Criminals use deceptive emails or websites to trick individuals into providing their personal and financial information;
5. ATM skimming: Criminals install skimming devices on ATMs to capture card information and PINs when people use the machines;
6. Account takeover: Criminals gain unauthorised access to a person’s bank account and make unauthorised transactions;
7. Loan fraud: Fraudsters may use false information or identities to apply for loans; and
8. Insider fraud, which involves bank employees or insiders using their knowledge and access to commit fraudulent activities.
Alert readers will notice that ransomware attacks – like the kind that was perpetrated recently against the FSC – was omitted.
Banks typically buy Employee Dishonesty or Fidelity Guarantee insurance to protect themselves against the dishonest or fraudulent acts committed by officers and employees, attorneys retained by the bank, and non-employee data processors while performing services for the insured. The banking regulator almost always mandates coverage.
The veteran attorney expressed his concerns a few days after the Jamaica Information Service reported that the Government plans to set up a national cybersecurity authority in two to four years. “The authority will be a creature of statute and will seek to provide overarching guidance to how cyber (computers and computer networks) is treated in Jamaica,” the report said.
The proposed measure highlights the gravity of the cyberthreats that face the country.
Cyber risks are now a front-burner issue. Many people failed to pay attention when I began writing about it thirteen years ago. To repeat an article I wrote in June 2021:
The average property and liability insurance contracts were created during previous centuries for the world of bricks and mortar. They are now inappropriate for the complex, intangible, fast-moving, technology-dependent digital world of the 21st century.
As a result, even the most experienced lawyers who are not computer-savvy, familiar with evolving cyber threats and the rapid developments in cybersecurity will have difficulty navigating the 30-odd page cyber risk insurance contract, the subject of the article.
This insurance broadly offers protection against the financial fallout from cyber incidents – including data breaches, network damage, business interruption, legal fees, and even ransom payments. As some providers call it, a cyber insurance solution is a service, not just a product. Insurers partner with industry-leading professionals, including risk assessors, forensic experts, and other technical support specialists, to provide coverage and manage cyber threats when they occur.
The policy consists of 18 insuring modules or parts as compared to two for a comprehensive motor policy. Nearly 45 per cent of the 18 parts, (eight), apply to third parties or entities who the policyholder may become legally obligated to pay in the event of a cyber incident. Seven modules (39 per cent) are linked to losses the policyholder may suffer when an insured event occurs. The remaining three parts (16 per cent) protect against cybercrime-related monetary losses that the policyholder may suffer. This structure of one of many sections of the contract is an indicator of the complex array of the threats that organisations of all kinds and sizes face daily and of which most persons are unaware.
The first three of the attorney’s concerns itemised above would generally be offered under the standard coverage available from some insurers. I suspect that most commercial banks have employee dishonesty and cyber risks coverage.
If I may offer some free advice, the veteran attorney and other business operators should explore the cost/benefits of the coverage given the nature of the threats that face businesses of all sizes and the imminence of the start date for the Data Protection Act. Also, readers should consider finding out whether their chosen attorneys have cyber-risk insurance.
Finally, the coverage offered by the Jamaica Deposit Insurance Corporation for bank deposits differs sharply from what the private insurance market offers. It protects depositors from the failure of the banking system. As a result, losses due to fraud, theft and cyber events are excluded from that coverage.