Urgent Stop Press: Market gets tough on cyber insurance for law firms
17 February 2022
Law firms are continuing to see an increase in cyber threats. Do you have a cyber insurance policy or are you intending to purchase one? There are some developments in the cyber insurance market you need to be aware of.
You will be familiar with the third party cover for cyber-related events available under your PII programme, but there are several first party risks to which the PII will not respond. A cyber insurance policy provides the best opportunity to bridge this gap. It is designed to assist in the event of a cyber-related event such as a ransomware, social engineering, or phishing attack. It has become an increasingly important purchase for law firms.
Insurers providing cyber insurance policies are following developments very closely. Their perception is that law firms are particular targets in view of the potential pickings if a cyber criminal is successful in, for instance, diverting client funds to their own accounts. Insurers are being more cautious as a result. Recent high profile ransomware attacks have heightened their concerns further.
Law firms need to be aware that some insurers have pulled out of this area of the market altogether and are not renewing policies. More could follow. Others are insisting on certain minimum requirements in order to consider renewal applications or new business.
We want to alert firms to the fact that insurers will want to confirm the following as a minimum:
- The use of multi-factor authentication (MFA) for cloud-based services (such as cloud-based email account access) and for all remote access to your network
- No remote access into your environment without a virtual private network (VPN)
- Regular (at least annual) cyber security awareness training, including anti-phishing, is provided to all individuals who have access to your firm’s network or confidential/personal data.
- A segmented backup solution. Are you undertaking regular back-ups of critical information to a “cold” or “offline” location that would be unaffected by an issue with your live environment? Are you testing whether those backups are recoverable?
These are the basic current requirements which have been advised by insurers in one form of words or another. We cannot guarantee that there won’t be more when your time comes to renew, however, these should be regarded as a minimum for now.
If you are not presently able to confirm these core security measures are in place, we recommend that you should address this issue urgently, as no grace period is likely to be available beyond the renewal date of any current policy.
Firms unable to confirm that the above safeguards are in place, may find it difficult, if not impossible, to secure renewal terms from their current insurer or obtain a quote from any insurer offering cyber insurance cover.
We acknowledge that the difficulties in the cyber insurance market will not be welcome news for law firms, but we want to ensure you are informed. We also want to give you as much notice as possible to address any shortfalls in your processes well in advance of your next renewal.