Cyber insurance for law firms

In 2021, the Solicitors Regulation Authority (SRA) revised the minimum terms and conditions of solicitors’ insurance (MTCs) following a request for greater clarity from insurers.

The MTCs now explicitly exclude first-party losses (those affecting the firm, rather than clients) resulting from a cyber event.

While such losses were not previously affirmatively included in standard policies, the exclusion puts solicitors on notice that they should:

• give serious thought to their potential liability if they suffer the negative consequences of a cyber loss, and
• consider purchasing appropriate cyber insurance

Purchasing cyber insurance is not a strict regulatory requirement for solicitors, but it’s a sensible precaution and may help firms to meet their regulatory responsibility to ensure that they “identify, monitor and manage all material risks to [their] business” (Rule 2.5 of the Code of Conduct for Firms).

Skip to glossary of useful terms

What are the risks?

Law firms hold sensitive, confidential and valuable data, such as client names, addresses and banking information.

Firms also routinely manage extensive commercially sensitive information and are dependent on computer systems to transact with clients, business partners and financial institutions.

These features make you vulnerable to accidental loss or misuse, as well as cyber criminals or scammers attempting to:

• steal confidential and valuable data or intellectual property
• extort ransom demands, or
• generally disrupt your business

Firms of all sizes, including sole practitioners, are vulnerable, as are solicitors working outside of SRA-regulated entities.

How can I reduce the risk?

To safeguard your firm against damaging cyber losses, it’s essential that:

• good system protection is in place, and
• the firm has (and tests) a disaster plan and an incident recovery process

Insurance is no replacement for sound risk management practices but should be regarded as another layer of protection in case things still go wrong.

Demonstration of effective controls and processes for risk management might also help keep your professional indemnity insurance (PII) premiums down.

Some insurers now ask about the measures firms have taken to protect against scams, including security and IT systems and accreditations such as Cyber Essentials Plus.

For help with preventing scams, see protecting your firm against scams.

For help with cybersecurity, see our information on cybersecurity.

Many risks can be avoided or mitigated by making sure that:

• everyone in the firm is alert to scams
• effective IT security controls are in place

For instance, if there is a data breach but the collection and retention of data had been minimised as far as practicable, then it will potentially reduce the magnitude of the breach.

What is cyber insurance?

Cyber insurance can cover certain costs and losses if your firm experiences a data breach and/or is the subject of a cyber attack that affects the firm’s computer systems.

What does cyber insurance cover?

Cyber insurance policies have been available for some time, and they vary in scope and coverage.

Not all policies provide the same coverage, and you will need to understand the different cyber insurance policies available.

Unlike PII, there is no prescribed list of minimum terms and conditions to be included in cover, so it’s important to look at the policy wording in detail.

Some policies will allow for variation to reflect the nature and activities of the firm or will have different tiers of cover. It’s important that you understand the options to secure the best cover for your firm’s needs.

When selecting an appropriate level of cover, you may wish to consult your IT specialists to help you to compare different policies and different levels of cover.

Your IT specialists will have expertise on some of the terminology and can explain your IT systems, as well as any processes (such as business continuity measures) already in place. This may assist when considering which policy would be more suitable for the firm’s needs.

While there is no such thing as a ‘standard’ cyber policy, a market-leading policy will extend to elements of both first-party cover (damage caused to the firm) and third-party liability (liability to third parties).

Perhaps the most valuable aspect of a cyber policy is the breach response team – experts who will be available to assist at short notice including:

• IT forensics
• PR and crisis consultants
• credit and identity-theft monitoring
• external legal advisers

First-party cover

First party cover may include:

Breach costs

• Costs incurred in responding to an actual/suspected data breach (of client, third-party or staff confidential information)
• Legal expenses incurred in obtaining specialist advice to determine your legal and regulatory obligations, and mitigate exposure to regulatory fines and penalties
• Cost of IT forensics experts to investigate the cause and scale of the breach, and the systems/data that have been affected

Restoration costs

• Costs incurred in restoring/repairing damage to systems, software, and data caused by a hacker (for example, locating and removing malware, or re-establishing the ability to make secure payments)

Response management

• Expert advice to assist with developing communication strategies to limit reputational damage
• Handling of enquiries from concerned clients

Business interruption

• Losses due to interruption of business following a cyber incident (following a waiting period of, typically, 12 hours)
• Reimbursement of revenue that would have been earned
• Reimbursement of expenses incurred to minimise loss of revenue

Cyber extortion

• Costs incurred in the event of a threat to damage or disrupt computer systems, or publish information
• Ransom payment
• Consultant to handle negotiation

Third-party liability cover

Third-party liability cover may include:

Privacy protection and/or system security breach

• Claims from clients (defence costs and awards/settlements) whose transactions were affected by the firm’s inability to meet deadlines in the aftermath of a data breach, invasion of privacy, breach of confidentiality or system security breach
• Regulatory fines/awards (to the extent insurable by law)
• Claims by employees
• Liability for transmission of a computer virus or a distributed denial of service attack

Media content liability

• Claims from clients (defence costs and awards/settlements) as a result of the firm’s online presence (website/social media)
• Breach of intellectual property rights (except patent rights)
• Defamation

Does PII cover some of these risks?

Yes. Your standard compulsory MTCs PII policy will cover you for civil liability and most third-party cover.

However, it will typically not include first-party costs typically associated with cyber incidents, such as:

• reputational damage
• the cost of a forensics investigation, or
• business interruption losses

You can read the exclusion clause for cyber-related claims in section 6.12 of the MTCs.

PII and cyber policies compared

The table below is an indicative guide of the sorts of claims which are typically covered by PII and cyber insurance policies.

However, cyber insurance policies are not a uniform product, so no reliance should be placed on the indicative categories below.

You should consult a broker for advice in relation to your own circumstances and the cover options available.

*With possible exceptions in relation to awards by the Legal Ombudsman

The cyber insurance policies currently available do not dovetail entirely with PII policies, but contain some overlap.

Depending on the risk profile of your firm and the level of risk you are prepared to tolerate, you may still decide that a cyber policy is appropriate for your firm, despite the overlap with the firm’s PII.

You should talk to your broker about finding a cyber insurance policy that will cover those risks that are not within the scope of your compulsory PII (see Consulting a broker) or allow more cyber cover over the limit offered under the PII.

It’s also worth noting that any additional PII cover purchased, above that subject to minimum terms, may include cyber exclusions necessitating a closer look at whether a cyber insurance policy is required.

What does cyber insurance not cover?

One risk not covered, which firms might want and expect to be, is theft from the firm’s office account.

While a cyber policy (and the firm’s PII policy) will cover theft from the client account, it will not cover theft from the office account (by either third parties or employees).

To insure against this risk, a policy containing a crime (fidelity) insurance element may be suitable.

Do you need cyber insurance?

Assess the risk

Whether you purchase cyber insurance will depend on the risk profile of the firm and the level of risk you are prepared to tolerate.

You need to understand the potential threat to your firm, your exposure and you will need to develop your own risk management strategy.

You should assess the risks not covered by the firm’s PII policy to which the firm might be susceptible, and whether those risks are covered by the firm’s other existing insurance policies.

During this exercise, you should be alert to the limits of cover in existing policies. For example, some office insurance policies will contain IT/computer-related cover, but this may be inadequate when faced with a cyber event.

The coverage ‘gaps’ will help assess what your firm might look for by way of additional cover in a cyber and/or crime insurance policy to serve your firm’s specific needs.

In assessing the risk, you may wish to consider:

• the scope and volume of sensitive information held by the firm (both client and employee information)
• the reputational impact on the firm of a data breach. Would the firm survive? Does it have expertise in-house to be able to deal with such an event?
• the extent to which the firm would require expert support to identify and respond to events in the immediate aftermath of a cyber event
• the ability of the firm to absorb the costs of restoring/repairing damage to software and data, mitigating adverse publicity, and loss of revenue in the aftermath of a cyber event

Manage the risk

Next, consider what remaining risks you will face and how you will manage them. Are these risks you are prepared to bear?

Can you transfer the risk?

A cyber policy will allow you to transfer some of these risks (subject to any policy terms and conditions with pre-requirements for avoiding risk).

Cyber underwriters are bringing increased scrutiny to cyber defence protocols of insured, on the back of an exponential rise in cyber claims.

Research has identified that certain minimum or recommended standards of cyber hygiene drastically reduce cyber exposure and are now increasingly being sought.

Below is a list of security factors which currently fall into the category of either ‘minimum standards’ or ‘highly recommended standards’ by cyber insurers.

Multi-factor authentication

Ensure multi-factor authentication is deployed – including for remote access, critical systems (including access to backups), administration accounts and Office 365.

Endpoint protection

Ensure endpoint detection and response protocols are in place (including on all workstations and servers).

Backups

Ensure back-up integrity – including encryption, air-gapping, secure (preferably offline) platforms and appropriately tested restoration.

Incident response plan

Ensure an incident response plan is in place, updated and tested regularly.

Business continuity plan

Ensure a business continuity plan is in place that addresses network outages, offline communications and data recovery protocols.

Remote desk protocol

Provide appropriate firewall protection to remote desk protocol access from outside the network and ensure there are no open ports for remote access.

Software

Ensure removal of outdated software as well as installation of software updates and patching on a regular and prioritised basis.

Education

Ensure high-level employee awareness training including regular phishing simulations, protocol regarding safe use of portable devices, limited use of public wifi and security controls for video conferencing.

Password management

Ensure appropriate password management software is in place.

Vulnerability assessments

Invest in vulnerability assessments, including penetration testing, red-teaming and table-top exercises.

Separation of OT and IT

Ensure appropriate separation of operational technology (OT) and information technology (IT).

Privileged access management

Ensure strategies and technologies are in place to control privileged access and permissions across the IT environment

Consulting a broker

The cyber insurance market in England and Wales is still evolving and broker expertise is variable, so you should discuss the insurance needs of your firm with a specialist broker.

The broker should have expertise in both cyber and crime policies, and understand how policy terms interact with solicitors’ PII.

You should discuss with your broker the possibility of carving out unwanted elements of cover, for example:

• media content liability (unlikely to be a concern for law firms)
• cover for elements of third-party loss that are covered by the firm’s PII policy

Stripping out unnecessary elements could reduce premiums.

You should consider how the cyber policy and your PII policy will interact.

• Will both be triggered by a cyber attack? If so, which will respond ‘first’?
• How will coverage disputes be avoided?
• How will excesses be dealt with?
• Are there any significant exclusions in the policy?

Your broker will be able to advise on these issues.

Some cyber policies require very stringent conditions on preventative measures (for example, latest antivirus software, all portable devices encrypted).

Check these provisions in the policy wording carefully and make sure the firm can comply.

Some policies may require firms to adhere to Cyber Essentials or Cyber-security Information Sharing Partnership standards. See our cybersecurity hub for more details.

You should discuss with your broker the details of any business interruption insurance, including issues such as levels of cover, and time limits for notifying insurers.

Be aware that there are separate regulatory requirements for the notification of data breaches.