As solicitors in England & Wales who have had a recent Professional Indemnity renewal will know, there has been an increased focus on cyber risks in the legal sector from insurers over the last few months, alongside an SRA consultation and ongoing discussions about where a firm’s PII policy should stop and a standalone cyber policy, if there is one in place, should operate. Below is our summary of the key issues.
The risk landscape
Cybercrime is arguably the biggest threat most businesses face today. 39% of UK businesses report having had cyber security breaches in the last year1.
Legal practices are highly targeted by sophisticated cyber criminals in the knowledge even a small firm may hold and move significant sums of client money. Even though technology has led to considerable improvements in process, the workflows, methods of money transfer and ID checks carried out by law firms will always have vulnerabilities and be open to attack.
The most common method of extorting client funds remains the delivery of malware via phishing, vishing and social engineering; exploiting the ‘human’ element of the chain and influencing people to transfer funds to an incorrect source. There has also been a huge rise in ransomware attacks, with criminals encrypting data and demanding a payment to release it. Such attacks are routinely increasing amongst businesses as opposed to individuals.
It may be the large attacks that hit the headlines (such as global firm Jones Day having 100gb of data stolen at the start of 20212), but we are aware of a notable number of small, sub-3 partner practices that have also experienced severe cyber losses, with a handful of our own legal sector clients having erroneously transferred five and six figure sums to criminals in the last two years.
Cybercrime risks are not going away. Our advice is that all legal practices, however they are regulated and whatever size they may be, must give serious consideration to their risk management approach on cybercrime and be satisfied that they are doing all they can to mitigate / transfer those risks accordingly.
Insurance and the regulatory position
The Professional Indemnity Insurance policy taken by solicitors in England and Wales, written under the SRA’s Minimum Terms and Conditions wording, has been silent on the subject of cybercrime losses. The broad scope of cover this policy wording gives means that client money losses arising from cybercrime have been payable by Professional Indemnity insurers; not something a policy originally designed to cover negligence was intended for. This is one of the major factors contributing to the increased PII premiums most law firms have faced over the last two years.
The evolution of cyber losses has led to many PI insurers scrutinising firms’ IT arrangements and asking if they hold a standalone cyber insurance policy, sometimes going as far as to request that firms have separate cyber cover with certain minimum limits.
Over summer this year, the SRA conducted a consultation, proposing a clause be inserted into the MTC’s “that makes it explicit that the consumer protection under our PII arrangements equally applies if the loss is because of a cyber-attack/event”3. Whilst the intention of continuing to protect consumers is obviously the right one, the consultation has caused much debate amongst firms, insurers, brokers and the regulator. It can be argued that the use of any clause around cyber means the wording becomes open to interpretation, therefore leading to different views on when cover operates and to what extent. This will only be tested should the clause come into force and be challenged by either insurers or firms in the event of a contested claim.
The SRA has now confirmed it is looking to include the clause within the MTC’s from early 2022, subject to the Legal Services Board’s approval. Assuming this goes ahead, solicitors will find themselves in a position where the precise scope of PII cover may be unclear / being debated for a time, with many firms still not carrying separate cyber insurance policies or, if they do, not necessarily understanding the exact cover they hold and how a claim would be met between various insurers.
There is no requirement for a solicitors’ professional indemnity insurer to provide ‘first party’ cover to an insured in the event of a cyber loss – i.e. the costs of investigating an attack, restoring or rescuing data or dealing with any reputational damage. We would therefore urge all firms to seek advice on, and seriously consider taking out a separate cyber insurance policy, including cover for cybercrime.
Unlike PII for Solicitors, there is no sector-wide cyber policy wording. Cover, premiums and the quality of response or claims service can vary greatly between insurers. Some insurers will specify strict inner limits on claims occurring due to wrongful transfer of funds, and we know of at least one insurer that excludes losses on a firm’s client account entirely. Whilst this may seem acceptable given that client monies are covered under a law firm’s PII policy, if wrongful transfer of client funds can be picked up by a specific cybercrime coverage, this moves risk away from a firm’s PI insurer. In tough PII trading conditions with premiums still rising, anything that can be done to demonstrate that PI insurers have less chance of receiving a claim will only help.
The regulatory position, technology, risk management methods and insurance products are evolving almost as quickly as the various methods of criminality in this area. The issues can be complex, making ensuring that you have relevant cover in place difficult. JM Glendinning’s Professional Risks team consist of separate, dedicated PII and cyber insurance experts to provide you with independent advice on the topics discussed above. If you require any assistance whatsoever, please do not hesitate to get in touch.
1 Source: NCA – National Strategic Assessment of Serious & Organised Crime
3 https://www.sra.org.uk/sra/news/press/pii-cybercrime-clause/ and https://www.sra.org.uk/sra/consultations/consultation-listing/pii-cyber/
Gareth Milner, Professional Risks Client Director, firstname.lastname@example.org, 07923 246 237
Andy Parkin, Cyber Risks Client Director, email@example.com, 07706 355 547