Social engineering: important discussion points for those managing risk within legal service providers

With more and more publicity surrounding the vulnerability of technology, risk-averse firms are increasingly resorting to cyber liability mitigation and insurance products as a key component of their risk management strategy. However, there appears to be a common misconception as to what cover is offered under a cyber policy. This could result in legal services firms purchasing the cover for the wrong reason.

What is social engineering?

A term increasingly used to refer to the practice of manipulating people into breaking normal security procedures, with the intention of encouraging them to give up confidential information’

Cyber insurance is first and foremost, a risk management product which, through the provision of practical support provided by specialists, reduces the impact of the event, in both practical and financial terms.  The policies are intended to support insureds if their systems are compromised and assist in restoring an organisation to their original position prior to the incident by providing: 

• IT forensic experts to investigate the occurrence and effect repairs;
• Legal experts, with specialist experience in the Privacy/Regulatory arena
• Crisis Communication consultants to minimise reputational damage;
• Insurers and their specialist suppliers (IT Forensic / Legal / Crisis Communication etc.) typically have more experience than a traditional professional services firm in handling these matters.  As a result, it makes sense to outsource the management of a breach, with the costs associated with hiring experts being covered by insurers.

The query that we, as brokers, are often confronted with is: “What about the loss of ‘actual’ money?”

Cyber Insurance policies were not initially designed to provide cover for the loss of client funds in the event of a cyber-attack. Depending upon the situation, this exposure may be covered under your Professional Indemnity (PI) cover but you should seek the opinion of your insurance broker before assuming they are.  If cover is afforded under the PI policy, the threat to client funds of a data breach should not be the catalyst for purchasing cyber insurance.

Although client funds lost due to a breach are not covered, some cyber products provide a level of reimbursement for the loss of the law firm’s own funds due to a ‘social engineering attack’.   It is important to note that these losses are becoming increasingly prevalent.  Fundamentally, they involve a criminal misleading an employee, or sending communications purporting to be a member of the firm, requesting the transfer of funds to a third party account.

Howden’s soon to be launched, exclusive Cyber Liability product for Conveyancers can be extended to include cover for first party losses, arising from Social Engineering.  This policy endorsement is available in addition to the cover provided by our already comprehensive Cyber Liability.

If you are interested in receiving a quote for Cyber Liability cover please contact Paul Crilly or Edward Donne.