A guide to incident and breach reporting
The reporting of incidents and breaches is a critical step if something has gone wrong or if it sits outside of standard practices. Third parties acting on behalf of QBE have additional reporting requirements to ensure we can meet obligations and compliance requirements as part of QBE’s Australian Financial Services Licence and General Insurance Code of Practice (GICOP) conditions. It also enables us to proactively address any potential concerns or trends before they become significant. It’s important to note that when breaches occur, notification to QBE is required within two business days.
Incidents or breaches usually occur because of an operational breakdown. The cause of these breakdowns can happen due to an inadequate or failed internal process, people, systems or even from external events. These breaches can lead to:
- financial impacts, such as loss or unexpected gain
- non-financial impacts, such as reputation, customer, people, business continuity and management efforts, and/or compliance where we have failed to meet an obligation set out in law, regulation or industry code.
There are 4 types of breaches which must be reported to QBE:
1. Data, privacy, security
An incident which involves:
- Unauthorised access, use or disclosure of personal information,
- Loss of personal information, and/or
- A compromise of information security.
For example:
- Sent email containing customer personal data to the wrong person
- Cyber-attack on systems, which results in a compromise of customer data.
2. Dealings outside the Target Market Determination (TMD)
Selling a retail product to a customer outside QBE’s Target Market Determination (TMD). A TMD provides information regarding which class of customers the product is suitable for (the target market) and which customers the product is likely to be unsuitable for.
3. Financial services law
Non-compliance with external legislative and regulatory requirements when providing financial services to customers.
These obligations relate to:
- Corporations Act 2001 (Cth)
- ASIC Act 2001 (Cth)
- Insurance Contracts Act 1984 (Cth)
- National Consumer Credit Protection Act 2009 (Cth)
Examples:
- General licence obligations
- Financial Statements
- Authorised Representatives (ARs)
- Disclosure requirements
- Marketing
- Regulator instructions/requests
- Conduct
- Record keeping
4. General Insurance Code of Practice (GICOP)
A GICOP incident or breach is an operational breakdown that results in non-compliance with QBE’s obligations under GICOP. Standards relate to conduct and customer service, for example, training requirements, selling insurance, cancelling insurance, claims handling, claims investigations, vulnerable customers and customers experiencing financial difficulty. Breaches can result in financial impact and/or non-financial impacts for a customer.
Third parties acting on behalf of QBE have an obligation to report incidents and breaches to QBE. This includes QBE’s intermediaries, partners, authorised representatives, distributors, and services suppliers.
If you need more information on the definition of these groups, please refer to the Third Party Breach Reporting Frequently Asked Questions document for applicable definitions.
Once you have submitted the form:
- You will receive an email confirming the details provided
- QBE will contact you if further information is required
- If you need to obtain a copy of a reported incident/breach, or need to edit the information, please contact your QBE Relationship Manager.