Cyber insurance guidance for solicitors and law firms
Insurance can help recover costs and losses from cyber attacks, hacks and scams. Learn more about cyber insurance and decide whether it’s right for your firm or organisation.
What is cyber insurance?
Cyber security protection and prevention guards against damaging cyber losses.
Insurance can form part of protection processes.
Professional indemnity insurance (PII) and cyber insurance are additional safeguards. They cover certain costs and losses in the event of a cyber loss which:
- affects your firm’s computer systems, and
- could lead to a data breach
Only 28% of firms purchase cyber insurance according to our 2023 PII research.
Cyber insurance is no replacement for sound risk management practices. You should think of it as another layer of protection in case things go wrong.
Demonstrating effective controls and processes for risk management might also help keep your PII premiums down.
Some insurers now ask about the measures firms have taken to protect against scams. This includes security and IT systems and cyber accreditations.
Many risks can be avoided or mitigated by making sure that:
- everyone in the firm is alert to scams
- effective IT security controls are in place
Read our cyber security guidance for solicitors.
Read our practice note on protecting your firm against scams.
Policies and cover
Cyber insurance policies vary in scope and coverage.
Unlike PII, there is no list of minimum terms and conditions that must be included in cover. It’s important to look at the policy wording in detail.
Some policies will have different tiers of cover. It’s important to understand the options to secure the best cover for your organisation’s needs.
You may wish to consult your IT specialists to help you select the right level of cover.
Perhaps the most valuable aspect of a cyber insurance policy is the breach response team. This is a team of experts who will be available to assist at short notice with:
- IT forensics
- PR and crisis consultants
- credit and identity-theft monitoring
- external legal advisers
Law Society members can take advantage of discounts and offers from our cyber insurance partner, Gallagher.
There are different types of cyber insurance. The main ones are:
- first-party cover
- third-party cover
There is no such thing as a ‘standard’ cyber policy, but a market-leading policy will include elements of both first-party cover and third-party liability.
First-party cover
First-party cover may include the following:
Breach costs
- Costs incurred responding to a data breach. This could be a breach of client, third-party or staff confidential information
- Legal expenses for specialist advice on your legal and regulatory obligations to avoid fines and penalties
- Cost of IT forensics experts to investigate the cause and scale of the breach, and the systems and data that have been affected
Restoration costs
Costs incurred restoring and repairing damage to systems, software and data.
For example, locating and removing malware, or re-establishing the ability to make secure payments.
Response management
- Expert advice to help limit reputational damage
- Handling enquiries from concerned clients
Business interruption
- Losses due to interruption of business following a cyber incident. This will usually follow a waiting period of 12 hours
- Reimbursement of revenue
- Reimbursement of expenses incurred to minimise loss of revenue
Cyber extortion
- Costs incurred responding to a threat to damage or disrupt computer systems, or publish information
- Ransom payment
- Consultant to handle negotiation
Third-party cover
Third-party cover may include the following:
Privacy protection and/or system security breach
- Claims from clients following a data breach, invasion of privacy, breach of confidentiality or system security breach
- Regulatory fines or awards (to the extent insurable by law)
- Claims by employees
- Liability for transmission of a computer virus or a distributed denial of service (DDoS) attack
Media content liability
- Claims from clients related to something posted on the firm’s website or social media
- Breach of intellectual property rights (except patent rights)
- Defamation
Most law firms probably won’t need media content liability.
Not included in cover
Theft from the firm’s office account is not covered by cyber insurance.
A cyber policy and the organisation’s PII policy will cover theft from the client account. However, it will not cover theft from the office account, by either third parties or employees.
To insure against this risk, a policy containing a crime (fidelity) insurance element may be suitable.
Comparison with professional indemnity insurance (PII)
Standard compulsory minimum terms and conditions (MTCs) of PII policies will cover your firm for civil liability and most third-party cover.
However, it will typically not include first-party costs typically associated with cyber incidents, such as:
- reputational damage
- the cost of a forensics investigation, or
- business interruption losses
You can read the exclusion clause for cyber-related claims in section 6.12 of the PII MTCs.
You may need to consider additional cyber insurance for adequate protection.
To assess insurance risk, it is useful to gather information about:
- the amount of sensitive information you hold
- potential reputational damage from a breach
- whether you need expert help in case of an attack
- recovery costs, including software restoration and maintaining fee income
- whether to consult with a specialist broker to tailor your insurance policy. This can potentially lower premiums by removing unnecessary elements
PII and cyber policies compared
The table below is an overview of claims which are typically covered by PII and cyber insurance policies.
Cyber insurance policies differ. You should speak to an insurance broker for advice on your circumstances and the cover options available.
Circumstances | PII (minimum terms and conditions) | Cyber insurance |
---|---|---|
Data breach costs including: | ||
|
No | Yes |
|
No | Yes |
|
No | Yes |
Public relations (crisis management) expenses | No | Yes |
Data restoration cost | No | Yes |
Business interruption losses | No | Yes |
Cyber extortion | No | Yes |
Cyber deception loss reimbursement (for example, theft from office account) | No | Policy dependent |
Liability to employees and partners arising from security and privacy breaches | No | Yes |
Media liability (defamation/infringement of IP rights other than patents) | Yes | Yes |
Liability to third parties arising from security and privacy breaches | Yes | Yes |
Regulatory fines or awards (where insurable by law only) | No* | Yes |
Defence costs for regulatory fines or awards | No | Yes |
*With possible exceptions in relation to awards by the Legal Ombudsman.
The Solicitors Regulation Authority’s minimum terms and conditions of solicitors’ insurance (MTC’s) don’t include first-party losses resulting from a cyber event.
These are losses that affect the law firm itself, rather than clients. For example, data breaches, ransomware or system damage.
Even though the MTC’s don’t include first-party losses, your firm should still consider purchasing appropriate cyber insurance to protect against potential liabilities arising from a cyber incident.
Overlap with PII
Cyber insurance policies do not fully align with PII policies, but they do cover some of the same areas.
You may decide that a cyber policy is appropriate for your firm despite the overlap with your PII. This will depend on your firm’s risk profile and the level of risk you are prepared to tolerate.
Speak to an insurance broker to find a cyber insurance policy that:
- covers the risks that are not within the scope of your compulsory PII
- allows more cyber cover over the limit offered under your PII
Additional PII cover, above the primary layer, may not include protection against cyber-related incidents.
It may be sensible review the top-up policy carefully and consider whether you also need a dedicated cyber insurance policy to be fully protected.
Deciding if you need cyber insurance
The decision to purchase cyber insurance will depend on the level of risk your firm is prepared to accept.
You need to understand the potential threat to your firm and your exposure. You should also develop your own risk management strategy.
Assess the risk
Identify the risks not covered by your firm’s PII policy that you might be exposed to.
Find out whether these risks are covered by the firm’s other existing insurance policies.
Check the limits of existing policies carefully.
For example, some office insurance policies will contain IT and computer-related cover, but this may not be enough to deal with cyber attacks.
Identifying these coverage ‘gaps’ will help you assess what extra cover your firm might need from a cyber insurance policy.
You should also consider:
- how much sensitive information you hold (both client and employee information)
- the reputational impact of a data breach. Would the firm survive? Do you have expertise in-house to deal with a breach?
- how much support you need to identify and respond to a cyber incident
- if you’d be able to cover the costs of cyber incident. Costs include restoring damaged software, managing negative publicity and loss of revenue
Decide if you can manage the risks
Once you have identified all the risks, consider how you will manage them.
If there are risks you can’t deal with, you may be able to transfer them to a cyber insurance policy (subject to policy terms and conditions and pre-requirements for avoiding risk).
Check you have the right standards in place
Cyber insurance providers often require businesses to have certain cyber security standards in place.
Many providers have ‘minimum standards’. If your firm doesn’t have these in place, you may:
- be denied coverage
- face higher premiums
- receive limited coverage or exclusions
They may also have ‘highly recommended standards’. These are not always mandatory, but if you have them in place the insurer may offer better terms or lower premiums.
Common cyber security measures insurers may ask for include:
- multi-factor authentication
- up to date antivirus software
- regular data backups
- an incident response plan
- a business continuity plan
- a remote access protocol, including firewall protection
- appropriate password management systems
For more information on cyber security measures, read our cyber security guidance for solicitors.
To ensure you meet cyber security standards, consider cyber security certification.
Insurance brokers
The cyber insurance market in England and Wales is still evolving. Broker expertise can vary.
You should discuss the insurance needs of your firm with a specialist broker.
The broker should have expertise in both cyber and crime policies and understand how policy terms interact with solicitors’ PII.
You should discuss removing unwanted elements of cover, for example:
- media content liability (unlikely to be a concern for law firms)
- cover for elements of third-party loss that are already covered by your firm’s PII policy
Removing unnecessary elements could reduce your insurance premiums.
You should consider how the cyber insurance policy and your PII policy will interact.
- Will both policies be triggered by a cyber-attack? If so, which will respond ‘first’?
- How will you avoid coverage disputes?
- How will excesses be dealt with?
- Are there any significant exclusions in the policy?
Your broker will be able to advise on these issues.
Regulatory requirements
Purchasing cyber insurance is not a strict regulatory requirement for solicitors, but it is a sensible precaution.
Cyber insurance may help firms to meet their regulatory responsibility to ensure they “identify, monitor and manage all material risks to [their] business” (Rule 2.5 of the Code of Conduct for Firms).
The Solicitors Regulation Authority (SRA) has minimum terms and conditions of solicitors’ insurance (MTCs).
Resources, training and accreditation
Read our guidance on:
- cyber security for solicitors
- how to identify a cyber attack
- what to do after a cyber attack
- cloud computing
Learn more about:
Browse our upcoming cyber security training courses.
Join our risk and compliance member community.