Cyber Insurance for law firms: Frequently Asked Questions
Published
Read time
Cyber attacks are an ongoing and significant threat for law firms and they have been increasing steadily over recent years as law firms and their clients have embraced technology.
Business Email Compromise (BEC) and ransomware are particular areas of concern and examples of this have been well reported in the legal press. A Cyber Insurance Policy provides cover that is not available under a primary (MTC-compliant) PII policy. It is important to understand the differences.
At Howden we are concerned that the benefits of a separate Cyber Insurance policy are not always well understood. To illustrate both the importance and benefits of having separate cyber cover in addition to your Professional Indemnity Insurance (PII), we present the following questions that are regularly asked by our law firm clients.
The answers given are, as always, subject to all policy terms and conditions. As far as PII is concerned, all answers are specifically referenced to the current Minimum Terms and Conditions (MTCs) with which the primary £2m or £3m of cover must comply. There are more cyber-related exclusions in excess layer policies for PII and these will differ depending on who has provided the cover. It is therefore important that you consider the terms of your excess layer policy separately.
1. | Why do I need Cyber Insurance when I keep hearing that my solicitors’ PII policy is gold-plated and as broad as it gets? Surely we are covered for losses arising from a cyber incident? |
Solicitors’ PII based on the MTCs does offer very broad cover and there are some losses arising from cyber attacks where the PII policy will respond. However, it will not respond to all losses and it is important to understand where the gaps are. The most obvious gap is in respect of first party loss. Significant costs can arise that are not related to any actual or potential claim by a third party, and that therefore wouldn’t be covered under your PII.[1] Some examples of first party expenses and losses are:
It is important to remember that, unlike solicitors’ PII, there are no standard minimum terms for Cyber Insurance. It is therefore very important to ensure that you understand what you are purchasing. For example, to recover loss of office account funds following a BEC or social engineering event, you will need to ensure that you have a cyber crime extension under your Cyber Insurance[2]. Unlike your PII policy, it is also usual for the self-insured excess to apply to all costs and expenses. | |
2. | Does our PII policy cover us if we are hacked and lose funds from the client account? |
Yes, there is cover under the Solicitors’ primary PII policy for the loss of client account funds as a result of a hack or other cyber attack. This arises due to the definition of “claim” in the MTCs which includes: “an obligation to remedy a breach of the SRA Accounts Rules, except where that obligation arises as a result of the insolvency of a bank or building society holding client funds – or their failure to repay monies on demand.” The loss or improper removal of funds from the client account is a breach of the SRA Accounts Rules that must be remedied by the firm. So, even before the client has made a claim, there is a “deemed claim” that the PII policy will respond to. A Cyber Insurance policy could also potentially respond to a third-party claim in addition to the cover under your PII policy. Subject to policy terms and conditions, it could be applied in excess of your PII or as the primary cover. However, as explained above, this will turn on the specific terms of your cyber cover, and you may need to ensure you have a cyber crime extension if the Cyber Insurance policy is to respond. If a cyber crime extension is not available then a standalone Crime Policy would be needed. | |
3. | If our accounts clerk makes an error and keys in £10,000 when transferring client money as opposed to £1,000, then what policy will respond if the funds cannot be recovered? |
This is an accidental administrative error involving third party funds and the PII will respond as opposed to a Cyber Insurance policy. A Cyber Insurance policy will generally only respond where there has been some breach of IT security or unauthorised use of your computer network or data held thereon. It will not therefore respond to employee oversight / negligence of this nature (whether in relation to client money or office money). | |
4. | Does our PII policy cover us if we are the victim of a ransomware attack and miss the limitation deadline for issuing proceedings due to our systems being frozen, causing loss to a client? |
Yes, your PII policy would respond in this scenario. Any claim would allege negligence in the provision of professional services - it is the fact that you missed the limitation deadline, as opposed to the ransomware attack per se, that will trigger the cover. | |
5. | Will our PII policy also fund the ransom or otherwise remediate our systems so that we can be operational again and remove the risk of missing other deadlines? |
No. This is what is known as a “first party loss” and it will not be covered under a standard solicitors’ PII policy. This is one of the reasons why firms should have a separate Cyber Insurance policy. While there are no “minimum terms and conditions” for Cyber Insurance policies, this type of loss is a core part of the coverage typically provided. | |
6. | What happens if the client’s email account is hacked and we act on an email instruction noting a change of account and deposit client funds to the account of a fraudster? |
The issue will be whether you acted negligently or in breach of contract by acting on an email instruction to change account details, without taking any steps to check that the instruction was a genuine one. The PII policy would respond in such a scenario given the underlying negligence/breach of contract allegations that would be relied on to bring a claim. | |
7. | What happens if cyber criminals gain information about the suppliers we use and send bogus emails resulting in us paying a large sum from our office account to the cyber criminals? |
This scenario is not at all uncommon and is known as ‘social engineering’. As mentioned above, there is no cover for the resulting “first party” loss under a standard PII policy, but it is a loss that is typically covered under a Cyber Insurance policy if the cyber crime cover option is available and has been purchased. If it is not available as an option under a Cyber Insurance policy, which might be the case for large law firms, then a standalone Crime Policy would be needed. | |
8. | What happens if our accounts clerk makes unauthorised electronic transfers from our office account for their own benefit? |
This is pure employee crime and not covered by a Cyber Insurance policy. As it is first party funds, as opposed to client money, it is not covered by a standard PII policy either. Separate Fidelity Insurance is an option to address such a scenario. | |
9. | What happens in the event a third-party service provider suffers a security breach or a failure of their systems that impacts our ability to undertake work for our clients? |
We are having an increasing number of conversations regarding the cover position when there is an issue involving service providers, particularly those providing IT services. A robust Cyber Insurance policy will include coverage, even if sub-limited, for what is known as Dependant Business Interruption – the loss of income and extra expenses resulting from an incident at a third-party service provider. It is important that you check your policy to ensure that you understand how a “service provider” is defined and we would recommend speaking to your broker to discuss any concerns on this issue. In addition we recommend you review your contracts with service providers to ensure that any limitations of liability (including any monetary caps) they are seeking are reasonable and appropriate. | |
10. | We have suffered a business email compromise and urgently need to undertake some forensic analysis to understand what client information has been accessed. Is this covered under our PII or Cyber Insurance policy? |
This will not be covered under the PII policy, but it is typically what is covered under a Cyber Insurance policy. A good Cyber Insurance policy will provide a specialist panel of suppliers who deliver IT forensics, legal and public relations services as part of an “incident response service”. Speed of response, together with legal assistance, is important in these situations and this cover will ensure you have prompt access to the appropriate experts funded by your cyber insurer. | |
11. | Confidential client information has been disclosed as a result of a cyber incident. We need to make a report to the ICO and we expect that they will require us to notify all affected clients. We can do this, but we are a small firm and it will take a lot of partner time. Would we be compensated for our time under a Cyber Insurance policy? |
The costs of liaising with the ICO and making appropriate notifications to potentially affected individuals are a core part of cyber insurance. A Cyber Insurance policy also provides cover for any resulting regulatory investigation or third party claims. Most Cyber Insurance policies will provide a pre-approved vendor incident response panel to use, which can be contacted directly. We always recommend that you use the response panel in order to reduce the impact on the business. Use of any other external vendors will require prior consent of insurers, which is difficult when much of the work is time-critical. Your own time spent on the matter (in addition to or in place of external vendors) is unlikely to be recompensed. There is potential that an “investigation” or “inquiry” by the ICO would be covered under the definition of “defence costs” in a solicitors’ PII policy, but this will only be the case where the matter is related to a claim or circumstance notified under the PII policy. It is therefore preferable for firms to have the appropriate cover under a separate Cyber Insurance policy. The time and cost to undertake a forensic analysis of systems, report to the ICO and communicate with affected clients can be considerable and in the worst-case scenario has the potential to financially compromise a firm. So buying a Cyber Insurance Policy is potentially a good investment. | |
12. | What do we do if our email is hacked and our clients get emails purporting to be from ‘us’, but they’re not? |
Prompt action is essential as soon as you become aware of any Business Email Compromise. It is important to stop and mitigate the incident as soon as possible. A Cyber Insurance policy will generally provide direct access to an incident response vendor panel, with a co-ordinated team of IT forensic, legal and public relations experts to provide a swift response. As a minimum, actions generally required include:
It is very important that you have access to the right, experienced help and support; again, this is cover that is typically provided by a Cyber Insurance policy (rather than your PII policy). | |
13. | What systems and procedures do we need to have in place to get Cyber Insurance cover? If we have something in place which we think is adequate, can the insurers disagree retrospectively if a claim comes in? |
The Cyber Insurance proposal form will ask for details regarding the systems and procedures the firm currently has in place. Under the Insurance Act 2015 you have a duty to provide insurers with a fair presentation of the risk and accordingly care must be taken to answer all questions correctly, with all material information disclosed. Cyber Insurance policies do not typically contain conditions regarding systems and procedures and their maintenance, so insurers cannot generally raise the adequacy of your systems as a barrier to cover when a claim arises, if you made a fair presentation on placement. However, some insurers are now providing exclusions for unsupported software, for example Windows 8, due to Microsoft no longer providing updates and support for it. It is always important to read your policy wording and check with your broker to find out if there is anything you need to be aware of. Acting in good faith is also important and insurers would expect to be advised should your security reduce materially during the policy period, for example by removing your firewalls or antivirus software. Your duty to provide a fair presentation of the risk is a continuing one under the Insurance Act 2015 and does not stop upon submission of your proposal form to insurers. Always talk with your broker if you have any concerns in this regard. |
Michael Blüthner Speight MA (Oxon), Solicitor
Divisional Director, Legal Practices Group
Please remember all answers are specifically referenced to primary cover that complies with the SRA’s Minimum Terms and Conditions (MTCs). There are more cyber-related exclusions in excess layer policies for PII and these will differ depending on who has provided the cover. Please consider the terms of your excess layer policy separately.