Cyber insurance covers your costs and losses if you experience a data breach or cyber attack. This can supplement your professional indemnity insurance (PII) cover.
Some insurers will ask about security in your firm as it may lower PII premiums. Your firm should already have appropriate security.
What PII covers
A standard compulsory minimum terms and conditions PII policy will cover you for civil liability and most third party cover.
However, it will not cover other risks linked to cyber incidents, such as:
- reputational damage
- costs of a forensics investigation
- business interruption
What cyber insurance covers
Cyber insurance policies have different levels of coverage:
- first party cover – damage caused to your firm
- third party cover – damage caused to clients and others
First party cover
First party cover includes:
- breach costs – for example, costs of getting experts to investigate the cause and scale of the breach
- restoration costs – for example, costs of repairing damage to software and data caused by a hacker, such as removing malware
- response management – for example, getting expert advice to help develop communication strategies to limit reputational damage
- business interruption – for example, paying back fee income that would have been earned
- costs relating to cyber threats – for example, paying ransom costs
Third party cover
Third party cover includes:
- privacy protection – defence costs and settlements following legal action or investigation after a data breach, invasion of privacy or breach of confidentiality
- media content liability – defence costs and settlements following legal action as a result of content on the firm’s website or social media
Risks not covered
Third party cover does not include theft from your firm’s office account by either third parties or employees. You would need to buy a policy with a crime insurance element to cover this.
Buying cyber insurance
Before you buy cyber insurance, you need to understand the potential threats to your firm and the level of risk you'll accept. You should create your own risk management process.
Assessing the risk
When assessing the risks your PII policy does not cover, you should consider:
- how much sensitive information your firm holds
- what the reputational damage would be if you experienced a data breach
- if you would need expert help to identify and respond to a cyber attack
- how well you could recover from an attack - the costs of restoring software and data, avoiding bad publicity and not losing fee income
Using a broker
You should discuss your firm’s insurance needs with a specialist broker who is an expert in cyber and crime policies. Discuss removing unnecessary elements in the policy, such as cover for regulatory fines and penalties, that are already covered by your firm’s PII policy. This may lower your cyber insurance premiums.
Your broker should advise on issues relating to your cyber and PII policies, including:
- if both will be triggered by a cyber attack
- how coverage disputes can be avoided
- how excesses will be dealt with
- if there are any exclusions in the policy
Getting started with cyber insurance
Cyber insurance guidance for law firms
Get discounted rates on cybersecurity services
> Back to contents list