Does Your Law Firm Have Cyber Insurance?
On 30th January 2019, Anna Sweeney, Director for Insurance Supervision at the Bank of England’s Prudential Regulation Authority wrote to the CEO’s of many insurance firms providing cyber insurance services.
The purpose of the letter was to inform them of the results of a survey conducted in 2018 on what needs to be done to improve the management of cyber-related risks. Several firms reported back that having undertaken stress tests on their ability to handle claims following cyber-attacks, they assessed the “potential risk of loss from cyber events as being comparable with major natural catastrophes in the US”. While this poses a serious challenge for insurance underwriters, it should also act as a wake-up call to those organisations who have yet to put in place cyber insurance.
The Association of British Insurers (ABI) have also recently reported that cyber insurance pay-outs are at 99% but the uptake is still too low, with up to 89% of businesses not covered. James Dalton, the ABI’s Director of General Insurance Policy, stressed, “Cyber insurance is a valuable product – the claims acceptance rates speak for themselves, and the additional support a business receives, beyond dealing with the pure financial losses is a key attribute of most cyber insurance policies, too often overlooked”.
What does cyber insurance cover?
Cyber insurance, also referred to as cyber liability insurance, typically pays the costs of both the first party (the business directly affected) and third-parties (those who are affected and bring a claim against the first party).
According to the ABI, insurance of this type may cover costs associated with:
- Business interruption – including loss of income
- Privacy breach – this may include, for example, the costs associated with setting up a call-centre to inform people and to handle enquiries and concerns regarding a data breach.
- Extortion – covering both the ransom value and consultation required for the negotiation of this amount
- Damage caused by hacking including recovering lost data and restoration of systems and services
- Media liability – e.g. to cover claims for libel, slander, or defamation relating to content on digital media platforms such as social media and your website.
- Investigative costs – including specialist digital forensic support
- Damages, settlements and litigation costs associated with claims by third-parties
- PR crisis management
As such, any businesses which capture, processes, or stores information relating to their business operations and/or clients, or in any way is vulnerable to a cyber-attack, should consider cyber insurance. Hiscox advise that cyber insurance premiums are determined by several factors, which may include your company revenue, the level of your existing security measures, industry sector, geography, previous cyber-attack history, and the type of data held.
Specific cyber insurance considerations for law firms
All legal practices are required to put in place suitable levels of professional indemnity insurance (PII), but such policies will not protect in the event of a cyber-attack. Cyber insurance needs to be purchased to supplement existing PI insurance. Before you do so, the Law Society recommends that you assess your risk, by determining:
- The potential reputational damage which would follow a cyber breach
- The amount of sensitive information held by your organisation
- Your existing resources and capability to manage and recover from a cyber-attack event
The type of cases you handle, the profile of your clients, and the extent to which you need to analyse sensitive electronically stored information (ESI) during document review and disclosure (eDiscovery) processes, will all determine the level of cover you require.
It is also important to consider the extent to which having cyber insurance in place may provide additional confidence and peace of mind to prospective clients and third-party partners.
Law firms must understand the risk management requirements associated with their cover. These clauses are designed to ensure that businesses are taking precautions to avoid the possibility of data theft or any type of cyber breach – for example mandating that all data be encrypted. Cyber insurance generally does not cover the theft of money from a Solicitor or client account – whether part of a cyber attack or not. A separate crime policy may be required for such an eventuality. The extent to which your firm handles large amounts of money, e.g. for conveyancing, will determine how much cover you will need.
Cyber insurance cannot be used as a primary mitigation to the risk of cyber-attack. By ensuring your law firm has undertaken an extensive assessment of its cyber vulnerabilities and has a programme in place to prevent this, including training, penetration testing, active surveillance for breaches, and procedures in the event of a breach, cyber insurance will provide a final line of defence which will ensure that any losses incurred by your business or by your business partners or clients do not threaten your ability to continue operating. This peace of mind is invaluable.