The cyber insurance market in England and Wales is still evolving and broker expertise is variable, so you should discuss the insurance needs of your firm with a specialist broker. The broker should have expertise in both cyber and crime policies, and understand how policy terms interact with solicitors' PII.
You should discuss with your broker the possibility of carving out unwanted elements of cover that may come with a standard policy - for example, media content liability (this is unlikely to be a concern for law firms), cover for regulatory fines and penalties (already covered by the firm's PII policy), and cover for elements of third party loss that are covered by the firm's PII policy. Stripping out unnecessary elements could reduce premiums.
You should consider how the cyber policy and your PII policy will interact.
- Will both be triggered by a cyber attack?
- How will coverage disputes be avoided?
- How will excesses be dealt with?
- Are there any significant exclusions in the policy?
Your broker will be able to advise on these issues.
Most policies will include obligations on the firm to manage the firm's cyber/scam prevention procedures and processes to an appropriate level. If the firm does not do so, the insurer would not pay out. Some cyber policies require very stringent conditions on preventative measures (for example, latest antivirus software, all portable devices encrypted). Check these provisions in the policy wording carefully, and ensure that the firm can comply.
Some policies might offer a discount for firms holding the Cyber Essentials or Cyber-security Information Sharing Partnership standards. See the Society's cyber security pages for more detail.