Professional indemnity insurance affirmative cyber cover – Law Society response
The Solicitors Regulation Authority (SRA) has proposed changes to the minimum terms and conditions (MTCs) for solicitors’ professional indemnity insurance (PII).
These changes are a response to demands from the insurance industry (regulators and underwriters) for PII policies to provide greater clarity on cyber-related risks.
We accept that the MTCs need to be amended to provide clarity about what is covered in the event of a cyber act or a partial or total failure of any computer system.
The SRA has drafted a new exclusion clause, which it plans to add to the other exclusion clauses that already exist in the MTCs.
The purpose of the new clause is to exclude from cover any cyber-related first-party losses (losses that affect only the firm, but not its clients or others), while affirming that third-party losses remain within the scope of the MTCs.
We agree that there is a need for clarity around the issue of cyber risks and appreciate that the SRA has taken an approach which focuses on the importance of maintaining the profession’s current high levels of client protection.
However, we would prefer that the MTCs were amended to make it explicit that all cyber risks, including first-party losses, are covered under the policy.
If, however, it proves impossible to rework the MTCs in this way, we believe that the SRA’s approach would be acceptable, although we have highlighted some difficulties that are likely consequences of the reforms.
We hope further steps could be taken to minimise any adverse effects.
What this means for solicitors
At the moment, it’s not explicitly stated in the MTCs whether or not cyber risks are covered.
Many solicitors may therefore assume that they are insured in the event of certain cyber-related problems, and it may only be when they come to make a claim that they discover this is not the case.
If the SRA’s reforms are implemented, it will have the virtue of providing clarity on this issue, but it will do so by excluding from cover all losses that affect only the firm.
The SRA has said that it will not be a strict regulatory requirement for firms to buy a separate cyber insurance policy; however, the risks of carrying out business without any such protection will drive many (if not most) firms to purchase cover.
Among the first-party losses that would be excluded under the proposed reforms are such things as:
- emergency response: access to experts who can take control of managing a crisis and advice on what a firm should do in the event of a cyber-attack or failure
- business interruption cover: if a firm cannot operate because its computer systems are out of action, resulting profit losses can be reimbursed
- fines and investigations cover: a firm's legal costs from a regulatory investigation can be insured, along with fines or penalties (if insurable by law)
- electronic data cover: forensic IT experts to restore files following a data breach or cyber-attack, and, if necessary, to protect systems against further attack
- reputation protection: covers the costs of hiring experts to inform those affected by a data breach, as well as extra support for clients; PR consultants can also work to help restore a firm’s reputation
These are not necessarily covered under firms’ current MTC-compliant PII policies, although insurers have sometimes provided such assistance.
The effect of the new exclusion clause would be to put solicitors on notice that they would no longer have access to such assistance, unless they have bought appropriate first-party cyber cover separately.
The consultation closed on Thursday 25 May 2021.
We would welcome further engagement with the SRA to find a solution which meets the need for clarity, without reducing client protections or creating substantial new burdens for solicitors.
If the SRA decides to implement its current proposals, or something similar, we'll work to provide guidance on cyber insurance and signpost products to members.