You are here:
  1. Home
  2. Support services
  3. Practice management
  4. Cybersecurity and scam prevention
  5. Cyber insurance guidance for law firms

Cyber insurance guidance for law firms

10 October 2016

This guidance is intended to help you navigate the considerations to take into account when deciding whether to purchase or renew cyber insurance.

Protection and prevention should be your firm's priorities to guard against damaging cyber attacks. Insurance is not a substitute for good system protection. If you choose to obtain cyber insurance, this should be as an additional safeguard to cover certain costs and losses in the event of a data breach and/or cyber attack that affects the firm's computer systems.

Useful terms

 
Show

Cyber: a broad term encompassing the technological elements of modern society, from computers and emails to websites and smart devices.

Cyber attack: an attack on an organisation's technology using a combination of technical and social engineering techniques to gain unauthorised access to the organisation's systems and data. An attack may be destructive in nature but more often is a silent theft of valuable data or electronic funds.

Malware: hostile or intrusive software, including computer viruses and other malicious programs, that can infect computers and other electronic products. Malware is often found in phishing emails. It often goes undetected and can remain dormant on IT systems until an opportunity for a theft arises.

Phishing: the fraudulent practice of sending emails purporting to be from a reputable and trustworthy source in order to persuade individuals to reveal sensitive information, such as usernames, passwords and payment card numbers.

What are the risks?

Law firms hold sensitive and confidential information such as client names, addresses and banking information. Firms also routinely handle substantial sums of money and are dependent on computer systems to transact with clients or business partners. These features make you vulnerable to cyber criminals and scammers attempting to steal money from client accounts or steal confidential data. Firms of all sizes are vulnerable.

How can I reduce the risk?

To safeguard your firm against damaging cyber attacks, it is essential that good system protection is in place, and that the firm has (and tests) a disaster plan. Insurance is no replacement for sound risk management practices, but should be regarded as another layer of protection in case things still go wrong.

Demonstration of effective controls and processes for risk management might also help keep your PII premiums down - some insurers now ask about the measures firms have taken to protect against scams, including security and IT systems. 

For help with preventing scams, see Protecting your firm against scams.
For help with cyber security, see our information on cyber security.

Many risks can be avoided or mitigated by ensuring that everyone in the firm is alert to scams and by ensuring that effective IT security controls are in place. 

What is cyber insurance?

 
Show  
Cyber insurance can cover certain costs and losses if your firm experiences a data breach and/or is the subject of a cyber attack that affects the firm's computer systems.

What does cyber insurance cover?

 
Show  

Cyber insurance policies have been available for some time and they vary in scope and coverage.

Not all policies provide the same coverage, and you will need to understand the different cyber insurance policies available. Unlike PII, there is not a prescribed list of minimum cover, so it is important to look at the policy wording in detail. 

Some policies will allow for variation to reflect the nature and activities of the firm or will have different tiers of cover. It is important that you understand the options to secure the best cover for your firm's needs. The main risks include elements of both first party cover (damage caused to the firm) and third party cover (damage caused to clients and others).  

First party cover

  • Breach costs - costs incurred in responding to an actual/suspected data breach (of client, third party, or staff confidential information)
    - legal expenses incurred in obtaining specialist legal advice to determine your legal and regulatory obligations, and mitigate exposure to regulatory fines and penalties
    - cost of IT forensics experts to investigate the cause and scale of the breach, the systems/data that have been affected, and put in place preventative measures against further breaches
    - costs of notification of the breach to clients
  • Restoration costs - costs incurred in restoring/repairing damage to software and data caused by a hacker (for example, locating and removing malware)
  • Response management - expert advice to assist with developing communication strategies to limit reputational damage
    - public relations advice for communications handling about the incident
    - handling of enquiries from concerned clients
  • Business interruption - losses due to interruption of business following a cyber incident
    - reimbursement of fee income that would have been earned
    - reimbursement of expenses incurred to minimise loss of fee income
    - claims from clients whose transactions were affected by the firm's inability to meet deadlines in the aftermath of the incident
  • Cyber extortion - costs incurred in the event of a threat to damage or disrupt computer systems, or publish information
    - ransom payment
    - consultant to handle negotiation

Third party cover

  • Privacy protection - defence costs and awards/settlements made following legal action or investigation as a result of a data breach, invasion of privacy or breach of confidentiality
    - regulatory fines/awards (to the extent insurable by law)
    - claims by employees
    - liability for transmission of a computer virus
  • Media content liability - defence costs and awards/settlements made following legal action as a result of the firm's online presence (website/social media)
    - breach of intellectual property rights
    - defamation

Does professional indemnity insurance cover some of these risks?

Yes. Your standard compulsory minimum terms and condition professional indemnity insurance (PII) policy will cover you for civil liability and most third party cover. However, it will not cover other risks typically associated with cyber incidents, such as reputational damage, the cost of a forensics investigation, or business interruption.

PII and cyber policies compared

 
Show  

 

 PII (SRA minimum terms and conditions)Cyber
Data breach costs including:
- Specialist legal advice expenses
- Forensic investigation expenses
- Notification costs
NoYes
NoYes
NoYes
Public relations (crisis management) expensesNoYes
Data restoration costNoYes
Business interruptionNoYes
Cyber extortionNoYes
Cyber deception loss reimbursement (eg theft from office account)NoNo
Liability to employees and partners arising from security and privacy breachesNoYes
Media liability (defamation/ infringement of IP rights)YesYes
Liability to third parties arising from security and privacy breachesYesYes
Regulatory fines and penalties (where insurable by law)YesYes
Defence costs for regulatory fines and penaltiesNoYes

 

The cyber insurance policies currently available do not dovetail entirely with PII policies, but contain some overlap. This is because cyber policies have been developed for industries that are not subject to compulsory PII protection.

Depending on the risk profile of your firm and the level of risk you are prepared to tolerate, you may still decide that a cyber policy is appropriate for your firm, despite the overlap with the firm's PII.

What does cyber insurance not cover?

 
Show  

One risk not covered, which firms might want and expect to be, is theft from the firm's office account. While a cyber policy (and the firm's PII policy) will cover theft from the client account, it will not cover theft from the office account (by either third parties or employees).

To insure against this risk you would need to purchase a policy containing a crime (fidelity) insurance element.

Do you need cyber insurance?

 
Show  

Assess the risk

Whether you purchase cyber insurance will depend on the risk profile of the firm and the level of risk you are prepared to tolerate.

You need to understand the potential threat to your firm, your exposure and to develop your own risk management strategy.

You should assess the risks not covered by the firm’s PII policy to which the firm might be susceptible, and whether those risks are covered by the firm’s other existing insurance policies. During this exercise you should be alert to the limits of cover in existing policies. For example, some office insurance policies will contain IT/computer related cover, but this will be inadequate for cyber attack purposes.

The risks identified as not already covered will help assess what your firm might look for by way of additional cover in a cyber/crime insurance policy to serve your firm's specific needs.

In assessing the risk, you may wish to consider:

  • The scope and volume of sensitive information held by the firm (both client and employee information).
  • The reputational impact on the firm of a data breach. Would the firm survive? Does it have expertise in-house to be able to deal with such an event?
  • The extent to which the firm would require expert support to identify and respond to events in the immediate aftermath of a cyber attack.
  • The ability of the firm to absorb the costs of restoring/repairing damage to software and data, mitigating adverse publicity, and loss of fee income in the aftermath of a cyber incident.

Manage the risk

Next consider what remaining risks you will face and how you will manage them. Are these risks you are prepared to bear?

Can you transfer the risk?

A cyber policy will allow you to transfer some of these risks (subject to any policy terms and conditions with pre-requirements for avoiding risk).

Consulting a broker

 
Show  

 The cyber insurance market in England and Wales is still evolving and broker expertise is variable, so you should discuss the insurance needs of your firm with a specialist broker. The broker should have expertise in both cyber and crime policies, and understand how policy terms interact with solicitors' PII.

You should discuss with your broker the possibility of carving out unwanted elements of cover that may come with a standard policy - for example, media content liability (this is unlikely to be a concern for law firms), cover for regulatory fines and penalties (already covered by the firm's PII policy), and cover for elements of third party loss that are covered by the firm's PII policy. Stripping out unnecessary elements could reduce premiums.

You should consider how the cyber policy and your PII policy will interact.

  • Will both be triggered by a cyber attack?
  • How will coverage disputes be avoided?
  • How will excesses be dealt with?
  • Are there any significant exclusions in the policy?

Your broker will be able to advise on these issues.

Most policies will include obligations on the firm to manage the firm's cyber/scam prevention procedures and processes to an appropriate level. If the firm does not do so, the insurer would not pay out. Some cyber policies require very stringent conditions on preventative measures (for example, latest antivirus software, all portable devices encrypted). Check these provisions in the policy wording carefully, and ensure that the firm can comply.

Some policies might offer a discount for firms holding the Cyber Essentials or Cyber-security Information Sharing Partnership standards. See the Society's cyber security pages for more detail.