Descubra a Nossa Diferença

Nation State Attacks

The cyber insurance market is increasingly concerned about the impact of nation state cyberattacks. Cyber activity during the war in Ukraine has highlighted this risk and what might happen if a cyberattack escalated. The NotPetya zero-day attack in 2017 was another warning. Although intended for infrastructure targets in the Ukraine, businesses were impacted throughout the world.

As cyberattacks evolve and spread, insurers are well aware of the need to manage this type risk and ensure the long-term sustainability of the cyber insurance market.

Action by Lloyd’s

Lloyd’s of London has been proactive in addressing this exposure and the Lloyd’s Market Association (LMA) cyber war working party has issued updated cyber war clauses, which came into effect on 31 March 2023. They are to be implemented on standalone cyber insurance policies underwritten by Lloyd’s Managing Agents.

New Cyber War Model Clauses

While the principal aim is to provide clarity for both insurers and insureds, there are two versions. Understandably, this has drawn criticism.

Version A is where attribution of the cyberattack is clearly stated: “in determining attribution of a cyber operation to a state, the insured and insurer will consider such objectively reasonable evidence that is available to them.”

Version B is where there is no agreement on how a cyber operation is attributed to a nation state to determine whether the exclusions operate. For this, Lloyd’s will require evidence of a mechanism that has been agreed with policyholders on a case-by-case basis.

The ‘A’ clauses can be summarised as follows:

1. LMA5564A: This is a blanket exclusion for any losses occurring or in consequence of war or a cyber operation.

2. LMA5565A: Places specific sub-limits on claims payments in the event of cyber operations. This, however, also excludes absolutely those operations launched in war, in retaliation by specified states, or which cause major detrimental impacts to the functioning of a state.

3. LMA5566A: As per LMA5565A (2 above), but there are no specified sub-limits on claims payment.

4. LMA5567A: As per LMA 3 but allows coverage in respect of “bystanding assets” (i.e., those that may be impacted by a cyber operation, but not those targeted) resulting from cyber operations causing major detrimental impacts to the functioning of a state.

Snapshot of the ‘A’ Cyber War Clauses

Takeaways

• Lloyd’s Insurers may use wording variations of the NMA clauses, and it is therefore important that these clauses are reviewed during placement of a cyber insurance policy.
• To avoid disputes during claims settlements, new definitions such as “Cyber Operations” “Major Detrimental Impact” and “Essential Services” should be clear.
• Focus should be given to how attribution is arrived at and that policyholders understand this process.

Outside of the Lloyd’s cyber insurance market we are seeing other leading cyber insurers adopt their own clauses using different terminology which has been driven by their reinsurers. We are also seeing insurers who have not yet imposed new cyber war clauses. The market has therefore not reached consensus on this important issue.

Is cyber insurance a regulatory requirement for firms? What type of business would benefit from cyber insurance? What does cyber insurance cover? We’ll answer these questions here and look at how insurance can mitigate cyber risks.

Cyber insurance is not usually a regulatory requirement in the same way that professional indemnity insurance (PII) is mandatory for some firms that offer professional advice as part of their service. However, given that a cyber insurance policy offers resilience in recovering from a cyberattack, it is expected that more and more regulators will require firms to have cyber insurance in place. And even for firms where regulations don’t apply, it is highly advisable to have cyber insurance and observe good cyber hygiene to mitigate the growing threat from cybercrime.

Cyber risk is a concern for every company, from start-ups to global brands, and the more businesses move online and rely on technology, the greater the vulnerabilities and the risk of a cyber incident. This was highlighted by Forbes in Cyberattacks 2022: key observations and takeaways, which describes how digital transformation is “significantly expanding the cyberattack surface and the number of critical failure points”.

Insurance should be part of an overall strategy to limit the damage from a cyberattack when security countermeasures fail, but cyber risks are not normally covered in standard commercial and general insurance policies, so it is important to consider cyber exposure as part of a wider risk analysis.

Ransomware on the rise

Ransomware is malicious software that disables computer systems until a sum of money (the ransom) is paid. Although it is hardly new, the frequency and sophistication of attacks have been increasing over the last three years, and IBM predicts that attacks will spike in 2023. If a system is breached, whether through ransomware or another type of cyberattack, such as hacking or phishing, there is a risk to:
• Data privacy
• IT infrastructure and operations
• Information governance

Resilience and recovery

Having a comprehensive cyber insurance policy will help to protect a company from financial and reputational damage and allow it to recover more quickly if cyber risks materialise. There are three main areas of cover in cyber insurance:
• Event Management
This involves the incident response expenses of an investigation by third parties to establish the extent of the breach; consultation on how to manage legal and regulatory issues; notification management via a crisis communication strategy; the establishment of a call centre to field queries; and the provision of credit monitoring.
• Financial Loss
Coverge for the loss of profits and increased costs of working during an interruption, along with the ransomware cost to manage an incident and the ransom it-self. Some policies also cover theft of funds by computer crime.
• Third-party liability – this covers your liability from a third party’s loss. For example, for a failure to protect third-party data, or third parties seeking compensation for financial losses from hacking or virus transfer from your network. Cyber insurance can provide defence costs and any resulting damages from multi-jurisdictional claims, and in some cases insurable fines from regulators and the PCI.

Protection before a claim

Elmore has partnered with cyber security firm Asceris to demonstrate how best practice and better controls can prevent cyber events and avoid insurance claims.

When you approach Elmore for a quote, you will gain an understanding of the strengths and weaknesses of your business’s current systems. We will identify vulnerabilities and advise on how to improve security. From risk assessment and finding the most appropriate cover for your needs, to smooth claims handling and resolution, we provide a comprehensive service for cyber insurance.

Best practice and better controls

Talk to us now and find out how we can protect your business and your customers.

Written by Charlie Sorby – Junior Client Executive.

If the Australian example is anything to go by, It won’t be long before UK skyscrapers have law firms’ names in bright lights at the top like their Australian counterparts. That’s because New South Wales is the most litigious place in the world, with ‘no win no fee’ law firms and funding for litigation driving a thriving claimant culture. As a result, recent legislation has placed a cap of 30% on returns for litigation funders. For UK firms, it’s more than 35%.

The recent spate of data breaches and cyberattacks in Australia is triggering class action lawsuits. Optus, Australia’s second largest telecommunications provider, has been called to account, and now the private health insurer Medibank is facing litigation from three class action firms after ransomware hackers caused a major data breach.

British Airways: A British test case

The UK is some way behind Australia in class actions but a recent British Airways (BA) settlement following the data breach of 420,000 BA customers in 2018 could signal what is to come.. In the insurance industry we say there is a tail in liability claims, as it can take several years for claims to play out through the courts and ultimately be settled. The BA case just shortened that tail and gave it added sting. This case has several firsts:

• One of the largest GDPR fines to be issued by UK regulators: GBP183m (USD249m)
• The fine was reduced to GBP20m (USD27m) to reflect the impact of Covid-19
• One of the first major successful collective action settlements in the UK
• Of the 420,000 impacted customers, 17,000 individuals are involved in the action, representing a 4% take-up rate
• Participants in the collective action didn’t need to show pecuniary/financial loss as emotional damage/inconvenience was sufficient
• BA reportedly settled for GBP2,000 per impacted individual leading to a GBP34m (USD46m) loss from the first wave of collected actions.

The last point is of particular interest and possibly the start of the ‘Australisation’ of UK society. The law of costs in England and Wales is typical of common law jurisdictions, whereas in the United States each party pays their costs even if they win or lose. In the UK the losing party must pay the costs of the other party. This has now developed into a choice for organisations when faced with a class action legal battle and legal costs and damages on both sides mounting to circa GBP5,000 per individual. With the offer of a swift settlement of GBP2,000 rather than the uncertainty of a five times greater loss, it’s understandable why BA was so fast to settle.

It started with one…now the gates are open

There a number of different claims an individual can bring in the UK against an organisation for compensation, and the landmark case of Vidal-Hall v Google, Inc. [2015] significantly changed the legal landscape for non-pecuniary damages as a result of a breach of data. This case, along with BA cases, further enables well-funded law firms to push through more cases.

In Australia, people are encouraged to bring claims for minor matters which may have passed by in other jurisdictions. Law firms have become all powerful and the Australian legal system has reached the point where so many claims are in progress that judges are sometimes individually handling 800+ cases at any one time. When you compare the proposed BA settlement with compensation of up to AUD20,000 per person in the Australian system, UK companies may well experience significantly more liability in the future.

Insurance as a last protection

The landscape for cyber insurers could not be more challenging, with countless ransomware claims impacting profitability and threatening the sustainability of business models. It will lead to further challenges if the other part of a cyber insurance policy – the cyber liability section – begins to be used in fast settlements like the BA case.

The challenge to business is to ensure the high standards for a textbook breach response, which arguably BA had provided. But, ultimately, it was the ‘numerous measures BA could have used [but didn’t] to mitigate or prevent the risk of an attacker accessing the BA network’ that resulted in the lack of defence to both the regulator and the civil actions.

Lesson learnt

Law firms are going to target firms with big pockets, but hackers are indiscriminate and firms of all sizes will experience cyberattacks if basic cyber hygiene is not followed. Given that it’s so easy to prevent half of most unsophisticated cyberattacks by using multi-factor authentication and suitable data backups, it’s surprising that more firms are not giving it greater attention. Regardless of cyber security, one thing is certain: in future we’ll see more names of law firms on our skyscrapers as a result of social inflation.

Written by Simon Gilbert – Founder & Managing Director.

Insurance is based on the sound principle that underwriters should cover only acceptable and clearly understood risks. Following last year’s challenges in the crypto world, crypto exchange insurers are increasingly focusing on more rigorous controls in this fast-moving and dynamic space. One thing is certain: crypto exchanges with a transparent and strong culture of governance, risk management and compliance will fair better in 2023 than those without.

The collapse of FTX has been called a ‘Lehman moment’, and it capped a shaky year of plunging values, large withdrawals, high-profile thefts and regulatory action. But that doesn’t mean we won’t see confidence restored in 2023 and the market grow again. A key part of this recovery is for firms to have the right safeguards in place and rebuild credibility with their numerous stakeholders.

Volatility and uncertainty go hand in hand with technological developments and trends – think of the dot-com boom and bust – it takes time for all new marketplaces to evolve and implement the right checks and balances. This is why insurance is an essential tool for long-term stability and continued growth. It allows crypto exchanges to align with industry best practice risk management, while protecting the balance sheet should a risk event occur.

Working with the ‘good actors’

It would be a mistake for the events in 2022 to tarnish the reputation of all the good players in the digital asset industry and more widely the emerging world of Web3. There is huge potential for fruitful partnerships between insurers/reinsurers and well-run digital asset businesses, and, according to Cointelegraph, digital asset insurance is a ‘sleeping giant’ with only 1% of investments covered. However, following the collapse of FTX, there has been a big increase in requests for insurance.

O lesson from FTX is that the industry needs stronger controls, better (and more transparent) governance, and more rigorous risk and compliance management. Analysing FTX’s collapse, the rating agency AM Best flagged the “complete failure of corporate controls” and “a complete absence of trustworthy financial information”, which are both prerequisites for insurance. AM Best highlighted the lack of a board of directors, the lack of experience amongst the senior management team, and the concentration of power in the hands of Sam Bankman-Fried.

Crypto exchange risk

The collapse of a crypto exchange is a warning to investors that crypto accounts lack guaranteed protection if they go bust. Crypto exchanges are not the same as banks and other financial institutions: they don’t hold fiat currency, they haven’t been as heavily regulated and will not be protected by insurance and government guarantees. While no investment is totally secure, the legal and regulatory framework for crypto exchanges is still evolving and requires the same basic safeguards enjoyed by traditional finance.

Customer protection insurance

Exchanges have been keen to show customers that assets are secured and protected by a range of audits in the past weeks, and now there is a new area of protection that is adding value for exchanges seeking new customer deposits: customer protection insurance. This effectively covers customers’ individual funds in a wallet if they are stolen in a cyberattack. It’s a valuable form of protection that is often bundled as an additional benefit for customers with premium trading accounts. This insurance can also be extended to a wider range of perils, offering protection for an individual’s data and technology against different types of cyber events.

At Elmore, we have in-depth knowledge of crypto exchange insurance. We work with crypto exchanges and all types of Web3 market infrastructure, gaining insights and expertise that help us provide the right cover for our clients across professional indemnity (PI), cyber, crime, and directors and officers (D&O) insurance. We also undertake detailed insurance due diligence reviews to identify risks and advise on appropriate insurance cover.

Contact us to find out more and discuss your needs.

Written by Simon Gilbert – Founder & Managing Director.

Multi-factor authorisation (MFA) is a baseline cyber security requirement. Without this protection, hackers can gain access to computer networks with relative ease, which is why it’s now standard practice for insurers to provide cyber security coverage only if MFA is in place.

As with all forms of security, cybercriminals are continually evolving new ways to breach defences, and ‘MFA fatigue’ is a social engineering tactic that’s on the rise. This is where cybercriminals attempt to access networks by repeatedly sending MFA prompts to users until they finally accept one.

MFA defined

Multi-factor authentication is an additional layer of security on top of standard username and password combinations and is one of the key methods to secure users access to IT resources. Users will be asked to provide two out of three possible security checks. Namely: ‘something you know’, ‘something you are’, and ‘something you have’.

MFA authentication is generally configured so that ‘push notifications’ are enabled. These are prompts that appear on mobile devices when you ask to login with your password. The MFA notifications will ask you to verify the login attempt and give the location of the request.

A push too many

A hacker will instigate an MFA fatigue attack when they try to login with stolen credentials. A relentless stream of MFA push notifications will be sent to the account of the individual who is being targeted. This continuous bombardment eventually results in fatigue, with the victim eventually approving access.

MFA fatigue attacks are now widespread, and Uber, Microsoft, and Cisco are just some of the companies that have fallen prey. Taking Uber as an example, the attack followed the standard approach: stolen credentials were used to bombard the target with continuous push notifications within an hour. In this instance, the hacker claimed in a WhatsApp message to be from Uber’s IT department and said that the push notifications would continue until approval was granted. The recipient eventually caved in and the attacker managed to access Uber’s intranet.

How to reinforce MFA with better education

MFA remains an important line of defence despite the resourcefulness of cybercriminals in finding and exploiting new points of weakness. As a form of social engineering, MFA fatigue underlines how the human factor plays a key role in undermining cyber security. Cyber insurers see a high number of claims resulting from human manipulation and so place strong emphasis on cyber security education. For example, simulated phishing attacks and regular training programmes to instil good practice and share knowledge on evolving cyber threats.

Many cyber insurers now provide cyber security training as part of their insurance offering. This encourages better risk management and can mitigate the effectiveness of future cyberattacks because threats such as MFA fatigue will be better understood and people will be on their guard. Cyber resilience depends on continual awareness and learning, backed by the right cyber insurance policy should a breach occur.

Written by Colin Fox – Cyber Risk Insurance and Media Liability Expert.

With the growth of fintech and digital currencies, many non-bank payment providers now offer online services to transfer money. Among them are Electronic Money Institutions, more commonly known as EMIs.

EMIs provide an alternative to a business bank account and are useful for smaller businesses and sole traders, who are often excluded from traditional business banking but can operate via e-money accounts. EMIs are authorised and regulated by the FCA and can issue e-money and provide associated payment services.

Innovation and protection

Every new business model involves risks that must be mitigated with appropriate insurance. At Elmore, we typically split EMI insurance into two main areas:

1. Specialist fintech insurance
2. Commercial office package insurance

Under these broad headings we provide a range of risk transfer policies. Let’s take a closer look at the types of insurance that EMIs should consider.

Breakdown of specialist fintech insurance

• Cyber Insurance
This covers the technology, legal, public relations and other costs involved in responding to a cyber event. It may involve direct financial loss from business interruption, extortion, data and payment card industry (PCI) fines and penalties and defence when a claim is brought against the company for cyber events

• Professional Indemnity Insurance (PII)
PII covers negligent or wrongful professional service claims that result in third parties suffering injury, damages or financial loss. Insurance will cover the costs and expenses in defending a professional claim against a company and any damages if the claim is successful.

• Directors and Officers (D&O) Liability
D&O cover protects directors and senior managers against claims for wrongful or negligent acts in the execution of their duties. Claims may be brought by disgruntled shareholders, employees, creditors, competitors, suppliers, customers or by a regulator.

• Theft/Crime Insurance
This offers protection against theft, fraud and other dishonest acts by employees or third parties that damage the business and its reputation.

Breakdown of commercial office package insurance

• Employer’s Liability Insurance
All businesses should have cover against the cost of compensation claims arising from any illness or injury sustained by an employee as a result of their work for the employer.

• Public & Products Liability Insurance
Services or products provided to the public may lead to claims if the service/product is deemed to be sub-standard, damaging, or misleading. Insurance will cover the cost of claims made by members of the public in connection with business activities.

• Property Insurance
This covers damage/loss to buildings, contents, portable equipment and other property as a result of fire, flood or theft.

Are you covered?
Elmore helps EMIs and other fintechs stay protected in the digital economy. If you would like a risk assessment of your business, we can conduct a review, highlight any gaps in your cover and then provide appropriate insurance. See the full range of our services and please get in touch if you would like more information about how we can help you.

Written by Tom Abbotts – Cyber, Technology and Fintech Team Leader of Elmore Insurance Brokers.

Elmore Insurance Brokers Limited.

The last two years have been tumultuous for cryptocurrency. From its peak in November 2021, the market has shed more than $2 trillion in value, and some leading crypto companies have been either deeply wounded or gone under. For example, the cryptocurrency platform Celsius Network is a recent casualty, filing for bankruptcy this July, while other crypto companies have announced layoffs and frozen withdrawals.

The ever-changing Web3 space is risky for entrepreneurs and investors alike, and unfamiliar territory for insurers. So, what cover is available for Web3 firms through the peaks and troughs, and how are insurers responding?

The quest for insurance

Web3 firms the world over have struggled to protect their nascent and volatile industry. Insurers have mainly stood back and monitored developments, wary of the unknown but also keen to explore opportunities for new Web3 business lines. While cold storage insurance is widely available for digital assets, insurers have found it challenging to cover more specialised risks such as cyberattacks, internal and external crime, professional liability, and directors and officers liability.

Although conventional insurers remain cautious when considering cover for crypto firms, the landscape is changing. Bermuda-based Relm Insurance is one insurer that has made a name for itself in both the crypto and insurance communities. Relm began life as a captive insurer for its parent, Deltec bank, an institution used by many crypto businesses for the storage of their fiat treasury. In just a short time, Relm has become a leading insurer of hard-to-place digital asset risks and recently achieved an A rating from the US rating agency Demotech.

For more established insurers, with recognised S&P/AM Best A ratings, which can sometimes be a deal breaker for institutional businesses, risk appetites are growing. Beazley, which manages several syndicates at Lloyd’s of London, recently opened a pilot using its Lloyd’s innovation budget to determine whether digital assets is a class they could write more widely for cyber and professional indemnity. Beazley has also launched CryptoGuard, a specialist D&O solution to protect senior executives in crypto companies, reflecting a growing interest in this sector.

AM Trust is another example of an insurer that is now more receptive to writing crypto insurance, while Avertas calls itself “The world’s first cryptoasset insurance company.” Other insurers will follow as crypto becomes more mainstream despite its inherent volatility. Indeed, crypto insurance is sure to become more important given the instability of the cryptocurrency ecosystem and the need for balance sheet protection from operational risks.

What types of insurance do crypto businesses need?

The latest crypto crash comes as a reminder that digital assets carry extra risks and that regulatory uncertainty exacerbates those risks. Crypto businesses and insurers must focus on the following:

• Professional liability – protection against claims from third parties who allege they have suffered a loss as a result of a failure in professional/technology services
• Cyber– protection against cyberattacks, business interruption, ransomware, denial of service and liability from a cyber event
• Crime – protection against losses resulting from employee or third-party fraud
• Directors and officers’ liability (D&O) – protection for senior executives who are liable for the decisions they take on behalf of their companies.

Crypto and the future

Whatever the highs and lows of crypto, it will play a growing role in the global economy and should be firmly on insurers’ radars. Insurers must continue to monitor crypto developments and deepen their understanding and knowledge of digital assets. As an insurance innovator and digital specialist, Elmore is helping to guide the industry and manage risk in this fast-moving marketplace.

Written by James Love – Junior Client Executive of Elmore Insurance Brokers.

Elmore Insurance Brokers Limited.

Francisco Monteiro, Managing Director of Elmore Europe, discusses the growth of the Lisbon office and the priorities and challenges for insurance across the continent

Elmore Europe has been operating for more than a year now. Why did you create a European hub in Lisbon?

Five years after launching in the London Insurance Market, our founder and MD Simon Gilbert decided to target Europe and build on Elmore’s success. Brexit, of course, was a key consideration. Like other insurance businesses, we needed to think long-term and ensure we could operate across the EU. Establishing a European hub gave us the required legal foothold, and one of the reasons for choosing Lisbon was because of its highly skilled workforce. Simon also had connections with Portugal as well as good relationships with the local broker community. Our Lisbon hub means we have passporting rights across Europe, and most of our clients – for now – are outside Portugal.

What are your focus areas and plans for growth?

Financial lines are our main focus and we offer all the services that we provide in London. Amongst others, we cover professional liability, management liability, cyber insurance, financial institutions insurance, and fintech insurance. Although the team in Lisbon is still quite small, Elmore in London provides backup and we intend to hire more staff locally. We have plenty of submissions coming through so will definitely need to expand.

Our current designation is ‘insurance agent’ but we’ll become an authorised broker in the near future. We’ll be following in the steps of the London office, which has been granted a Lloyd’s of London broking licence for the UK operation and is directly authorised and regulated by the Financial Conduct Authority. Once our Portuguese business has broker status, we can access the Lloyd’s Brussels capacity.

How important is cyber insurance and what are the challenges?

Cyber insurance is a strong growth area for Elmore. We’ve seen high-profile cyberattacks in Portugal recently, and it’s an issue across all geographies and sectors. Moreover, with the conflict in Ukraine and the growing risk of largescale attacks, there is no room for complacency: governments, businesses and individuals are all vulnerable.

As the risks mount, insurers are finding it increasingly challenging to provide cover. With so many attacks and new threats, and the sophistication of cybercriminals, it’s difficult to remain one step ahead. At Elmore, we’re cyber specialists who stay abreast of the ever-changing risk landscape. We help businesses to understand the risks, strengthen their defences through best practices and cyber awareness, and find appropriate insurance policies.

How are partnerships shaping your business? What organisations do you work with in Europe?

We firmly believe in collaborating with fintechs and other industry experts and specialists. Partnerships facilitate the exchange of ideas and knowledge and create strong relationships that can promote better insurance products and services. We aim to be highly visible and active in the community, and we’re keen to work with organisations that can learn from our industry and sector expertise and in turn add value to our business. Our current partners include Fintech House, DIFC FinTech Hive, and Fintech Belgium.

Fintech insurance is one of your key strengths. How has this evolved and what are your plans for the future?

The growth of fintech is an important side effect of digitalisation and open banking. Innovation and disruption are everywhere across financial services, and digital challengers are competing with established players and developing new products to better serve customers. But with innovation and new business modes comes risk, so insurers must play an increasingly important role in managing those risks and protecting fintechs as they move from start-up to scale-up and beyond.

Elmore is committed to fintech insurance and has developed market-leading knowledge and expertise. We have watched the fintech marketplace develop, we understand the risks facing new business models, and we know the measures and behaviours that fintechs must adopt to protect their businesses as they grow.

This is why we launched fintechinsurance.com, our dedicated portal to guide and protect fintechs. From risk identification and silent reviews through to risk transfer, incident response and claims handling, we enable fintechs to trade confidently and build their businesses. Fintechinsurance.com is a joint initiative by our London and Lisbon offices, and it draws on an international network of brokers who can coordinate both local and global insurance through a single channel.

What other areas is Elmore Europe looking at?

We’re a multidisciplinary insurance specialist that continually monitors the risk landscape. We provide insurance where it’s most needed, and, like many of the clients that we serve, we’re also an innovator. We’ll develop new lines as appropriate, filling gaps in the market and meeting new demands and emerging risks. For example, digital assets is a growing area of focus, and we’re also looking at media industries. One thing is sure: with climate change, pandemics, geopolitical instability and conflict, the world is becoming more dangerous and there has never been a greater need for risk awareness and all types of risk transfer – not least insurance.

Written by Francisco Monteiro – EU Managing Director of Elmore Lda.

Elmore Insurance Brokers Limited.

The digital age has made it easy to raise funds for business ideas through online crowdfunding service providers (CSPs). Four types of CSPs are available to a business, two of which – debt and equity-based funding – fall under regulations t hat require a CSP to have professional indemnity Insurance (PII).

Key underwriting considerations and questions when reviewing a CSP for insurance

1. What due diligence is undertaken by the crowdfunding service provider before allowing companies to raise capital? Are the companies legitimate

Crowdfunding is becoming more and more popular worldwide. Client money is in some cases held by the CSP, increasing its operational risks. Risks include failure of the investment, fraud, and money laundering.

Underwriters must ensure that a CSP undertakes thorough due diligence to mitigate its risks and avoid liability. Due diligence should comprise background checks, site visits, credit checks, cross-checks, account monitoring, and third-party proof on funding projects.

2. Insurers must confirm that companies raising capital through CSPs are not from crypto or cannabis industries.

Cryptocurrency is still excluded by most insurers, although demand for cover is increasing and insurance is becoming available. However, insurers need more clarity to develop policies.

Like crypto businesses, cannabis firms still don’t have many options when it comes to insurance, as major insurers are staying out of the market because cannabis is still illegal in most territories. That said, some insurers do offer cover.

3. What are the responsibilities of a CSP? Does the CSP assume the role of a nominee shareholder on behalf of the investors?

This question is relevant when the CSP is an equity-based crowdfunder.

Equity-based crowdfunding is where funds are invested by a large number of people, each putting in a small amount in return for shares.

Most crowdfunding platforms offer nominee shareholding. This is where the platform is a limited company solely for the purpose of holding shares on the funders’ behalf.

While this makes life much easier for businesses because they can involve their shareholders in decisions, it is highly risky for the CSP and opens it up to complaints/claims, not only from the business raising funds, but also from the individuals/investors. This makes it hard for insurers to consider covering CSPs that assume the role of nominee shareholder on behalf of the investors.

4. Is the CSP involved in the transfer of funds between the investor and the capital-raising company?

Most CSPs facilitate the collection of funds between the investor and the capital raising-company. Even though it is considered as a high risk from the insurer’s point of view, it can be insured as long as the CSP has its own payment initiation service provider (PISP) licence or uses payment services of an authorised PISP.

5. Confirmation that KYC (know your customer) and AML (anti-money laundering) procedures are in place.

Underwriters expect CSPs to be fully compliant with AML regulations and to conduct a reasonable investigation of their onboarding companies to make sure they are legitimate before joining their platforms. CSPs must check fundraisers and follow AML and KYC procedures to prevent suspicious activities on their platforms. These checks enable potential threats to be detected and potential crimes to be prevented.

Available insurance coverage for CSPs
Elmore has developed a ‘package’ insurance policy that comprises a range of different policies for different scenarios that may arise when running the platform. A key area is professional indemnity insurance (PII), which covers the legal costs incurred as a result of claims from third parties for a failure in the provision of the technology platform’s services. Cyber risks, management liability and external and internal theft are also included as part of the overall package — in one policy document.

We recommend buying a package policy to minimise the risk of claims falling through the gaps between policies, particularly for claims relating to privacy and security breaches, which can result from professional negligence covered by a PII policy and can also be covered by a cyber insurance policy. General liability, including public, products and employers’ liability, should also be purchased for damage to goods and bodily injury to the public and the business’s employees.

About Elmore Insurance Brokers
Elmore Insurance Brokers Limited advises its clients to actively manage risk to optimise insurance. Insurance is a partnership between businesses and insurers, and it depends on clear and focused engagement. Elmore is committed to helping its clients understand current and evolving risks and promote best practices in risk management.

Written by Francisco Monteiro – EU Managing Director of Elmore Lda.

Elmore Insurance Brokers Limited.