Skip to main content
main content, press tab to continue
Article

Solicitors, Cyber Crime and “Silent Cyber”

By Jonathan Corman | August 3, 2021

Jonathan Corman of Fenchurch Law considers some recent developments in relation to the insurance implications of cyber crime and other cyber losses.
Financial, Executive and Professional Risks (FINEX)
N/A

Law firms are particularly exposed to cyber risks because they hold and transfer large sums of (usually, client) money and because they hold and transfer sensitive corporate and personal data. In this article, Jonathan Corman of Fenchurch Law considers some recent developments in relation to the insurance implications of cyber crime and other cyber losses, as well as providing hints and tips for avoiding them.

Introduction

“Cyber crime” describes various acts carried out by “cyber criminals”, including:

Email modification fraud is the most common problem affecting the legal profession.

“Email modification fraud” (also known as “business email compromise”, or colloquially as “Friday afternoon fraud”), where cyber criminals intercept or falsify emails between clients and law firms, and bank details are changed from the original account to that of the cyber criminal. Email modification fraud is the most common problem affecting the legal profession.

“Phishing”, whereby criminals send emails in order to obtain confidential information (passwords, bank details, etc.) or to cause the unintentional downloading of malicious software (“malware”). Phishing now includes various sub-categories, such as:

  • “spear phishing”, where the email from the criminal is personalised to increase the chance of being effective;
  • “whaling”, where the email is targeted at a senior manager within an organisation;
  • “smishing”and “vishing”, which involve text messages and telephone calls rather than emails.

“Ransomware”, whereby malware infiltrates the victim’s IT system, and ransoms are demanded by the cyber criminals in return for remedying the problem.

In addition to cyber crime is the risk of non-criminal cyber losses, such as business interruption losses when servers crash and claims or fines arise from the accidental or negligent dissemination of confidential information, which will almost inevitably constitute a breach of the GDPR1.

Cyber Policies and Silent Cyber

Cyber policies are insurance policies specifically designed to protect policyholders against either first-party losses such as business interruption or third-party claims.

A relatively recent development in this sphere is the focus by regulators on “silent cyber”2.

Silent cyber, also termed “non-affirmative” cyber, is the provision, perhaps inadvertently, of cover for cyber risks within traditional property and liability policies. That contrasts with “affirmative” cyber cover, which is expressly provided either in bespoke cyber policies or in express extensions within non cyber policies.

Why is this a Problem?

Silent cyber is a problem for both policyholders and insurers.

For policyholders, it can lead either to a false sense of security because they think that a traditional policy will cover cyber losses, when in fact it will not or, conversely, lead to wasted expenditure, because they purchase cyber policies when the risk is already covered under traditional policies.

Silent cyber is a problem for both policyholders and insurers.

For insurers, inadvertently giving cyber cover may lead to large losses for which they have made no provision via their pricing and/or for which they have inadequate reinsurance.

For both insurers and policyholders, silent cyber is a fertile ground for expensive and time-consuming coverage disputes.

Regulatory Response

From late 2016 onwards, the Prudential Regulatory Authority started to focus on this problem. In 2017 it told insurers that they needed to “robustly assess and actively manage ”their silent cyber exposure3.

This led to Lloyd’s of London telling its members that they had to provide clarity in their policies, by either expressly excluding cyber cover or expressly providing it (i.e. affirmative cyber cover).

More recently, the Lloyd’s Market Association and the International Underwriting Association of London have developed a number of cyber related endorsements which, in traditional property or liability policies, expressly exclude various cyber related losses.

The SRA’s Response

Unlike most insurers, those writing solicitors’ professional indemnity have not been able unilaterally to amend their policies, given the requirement that they conform to the SRA Minimum Terms and Conditions4 (“the MTCs”).

The SRA issued a consultation paper in April, which indicates that its position will be that insurers will be free to make explicit that (as is the case in any event) first-party losses caused to a law firm by a cyber attack e.g. the loss of the firm’s own money or the cost of rectifying any reputational issues would not be covered.

By contrast, the very wide cover for third-party claims encompassed by the MTCs - whereby, save for certain exclusions, all “civil liability” is covered - is to remain in place, even if the liability is caused by a cyber attack. Thus, any redress due to a client, for lost money or lost data, will remain covered.

The SRA expressed the hope that this approach would not affect solicitors’ PI premiums given that it was merely expressing what was already the case. However, it remains to be seen whether PI insurers will cite their exposure to cyber losses as yet a further ground for increasing premiums.

Hints and Tips

Unsurprisingly, prevention is better than cure, and law firms would be well advised to avoid cyber losses rather than relying upon their PI policy and/or their bespoke cyber policy to indemnify them. The following hints and tips, all taken from the SRA’s own guidance5, should be helpful:

Email modification fraud
  • Implement strong financial controls to manage the risk
  • Have adequate safeguards to verify the identity of email senders
  • Train staff to be alert to cyber criminal tactics
  • Internal training and education on these risks is vital
  • Implement email authentication software
  • Incorporate warnings on company emails
  • Inform clients how you will be communicating with them
  • Educate clients about how they can help prevent becoming the victims of fraud
Ransomware
  • Install security software
  • Know how malware is most likely to be downloaded on your systems
  • Have a disaster recovery plan
  • Health check your contingencies and controls
  • Never forget to update your software and operating system
  • Know what hardware and software assets are connected to the network
  • Segment the network to prevent an attack affecting your entire IT system
  • Ensure you have enough servers, backups and storage facilities to recover data quickly and securely
Phishing
  • Adapt your business culture to prioritise the risks of social engineering attacks
  • Assess your systems, controls and working practices for managing data with third parties
  • Test your vulnerabilities
  • Review your data management and how confidential information is secured
  • Accept that these attacks exist and understanding how they work
  • Use a risk register to focus your responses to different cyber risks
  • Monitor your email system and online behaviour
  • Review your website and how it could be used by fraudsters to commit fraud

Footnotes

1 https://gdpr-info.eu and https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

2 https://www.sra.org.uk/sra/news/press/pii-cybercrime-consultation/

3 https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2017/ss417.pdf?la=en&hash=6F09201D54FFE5D90F3F68C0BF19C368E251AD93

4 https://www.sra.org.uk/solicitors/standards-regulations/indemnity-insurance-rules/

5 https://www.sra.org.uk/solicitors/resources/cybercrime/cybersecurity-advice

Author


Partner, Fenchurch Law

Contact us