Law firms are particularly exposed to cyber risks because they hold and transfer large sums of (usually, client) money and because they hold and transfer sensitive corporate and personal data. In this article, Jonathan Corman of Fenchurch Law considers some recent developments in relation to the insurance implications of cyber crime and other cyber losses, as well as providing hints and tips for avoiding them.
“Cyber crime” describes various acts carried out by “cyber criminals”, including:
Email modification fraud is the most common problem affecting the legal profession.
“Email modification fraud” (also known as “business email compromise”, or colloquially as “Friday afternoon fraud”), where cyber criminals intercept or falsify emails between clients and law firms, and bank details are changed from the original account to that of the cyber criminal. Email modification fraud is the most common problem affecting the legal profession.
“Phishing”, whereby criminals send emails in order to obtain confidential information (passwords, bank details, etc.) or to cause the unintentional downloading of malicious software (“malware”). Phishing now includes various sub-categories, such as:
“Ransomware”, whereby malware infiltrates the victim’s IT system, and ransoms are demanded by the cyber criminals in return for remedying the problem.
In addition to cyber crime is the risk of non-criminal cyber losses, such as business interruption losses when servers crash and claims or fines arise from the accidental or negligent dissemination of confidential information, which will almost inevitably constitute a breach of the GDPR1.
Cyber policies are insurance policies specifically designed to protect policyholders against either first-party losses such as business interruption or third-party claims.
A relatively recent development in this sphere is the focus by regulators on “silent cyber”2.
Silent cyber, also termed “non-affirmative” cyber, is the provision, perhaps inadvertently, of cover for cyber risks within traditional property and liability policies. That contrasts with “affirmative” cyber cover, which is expressly provided either in bespoke cyber policies or in express extensions within non cyber policies.
Silent cyber is a problem for both policyholders and insurers.
For policyholders, it can lead either to a false sense of security because they think that a traditional policy will cover cyber losses, when in fact it will not or, conversely, lead to wasted expenditure, because they purchase cyber policies when the risk is already covered under traditional policies.
Silent cyber is a problem for both policyholders and insurers.
For insurers, inadvertently giving cyber cover may lead to large losses for which they have made no provision via their pricing and/or for which they have inadequate reinsurance.
For both insurers and policyholders, silent cyber is a fertile ground for expensive and time-consuming coverage disputes.
From late 2016 onwards, the Prudential Regulatory Authority started to focus on this problem. In 2017 it told insurers that they needed to “robustly assess and actively manage ”their silent cyber exposure3.
This led to Lloyd’s of London telling its members that they had to provide clarity in their policies, by either expressly excluding cyber cover or expressly providing it (i.e. affirmative cyber cover).
More recently, the Lloyd’s Market Association and the International Underwriting Association of London have developed a number of cyber related endorsements which, in traditional property or liability policies, expressly exclude various cyber related losses.
Unlike most insurers, those writing solicitors’ professional indemnity have not been able unilaterally to amend their policies, given the requirement that they conform to the SRA Minimum Terms and Conditions4 (“the MTCs”).
The SRA issued a consultation paper in April, which indicates that its position will be that insurers will be free to make explicit that (as is the case in any event) first-party losses caused to a law firm by a cyber attack e.g. the loss of the firm’s own money or the cost of rectifying any reputational issues would not be covered.
By contrast, the very wide cover for third-party claims encompassed by the MTCs - whereby, save for certain exclusions, all “civil liability” is covered - is to remain in place, even if the liability is caused by a cyber attack. Thus, any redress due to a client, for lost money or lost data, will remain covered.
The SRA expressed the hope that this approach would not affect solicitors’ PI premiums given that it was merely expressing what was already the case. However, it remains to be seen whether PI insurers will cite their exposure to cyber losses as yet a further ground for increasing premiums.
Unsurprisingly, prevention is better than cure, and law firms would be well advised to avoid cyber losses rather than relying upon their PI policy and/or their bespoke cyber policy to indemnify them. The following hints and tips, all taken from the SRA’s own guidance5, should be helpful:
1 https://gdpr-info.eu and https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
2 https://www.sra.org.uk/sra/news/press/pii-cybercrime-consultation/
4 https://www.sra.org.uk/solicitors/standards-regulations/indemnity-insurance-rules/
5 https://www.sra.org.uk/solicitors/resources/cybercrime/cybersecurity-advice