Cyber insurance

Cyber insurance covers your costs and losses if you experience a data breach or cyber attack. This can supplement your professional indemnity insurance (PII) cover.

Some insurers will ask about security in your firm as it may lower PII premiums. Your firm should already have appropriate security.

What PII covers

A standard compulsory minimum terms and conditions PII policy will cover you for civil liability and most third party cover.

However, it will not cover other risks linked to cyber incidents, such as:

  • reputational damage
  • costs of a forensics investigation
  • business interruption

What cyber insurance covers

Cyber insurance policies have different levels of coverage:

  • first party cover – damage caused to your firm
  • third party cover – damage caused to clients and others

First party cover

First party cover includes:

  • breach costs – for example, costs of getting experts to investigate the cause and scale of the breach
  • restoration costs – for example, costs of repairing damage to software and data caused by a hacker, such as removing malware
  • response management – for example, getting expert advice to help develop communication strategies to limit reputational damage
  • business interruption – for example, paying back fee income that would have been earned
  • costs relating to cyber threats – for example, paying ransom costs

Third party cover

Third party cover includes:

  • privacy protection – defence costs and settlements following legal action or investigation after a data breach, invasion of privacy or breach of confidentiality
  • media content liability – defence costs and settlements following legal action as a result of content on the firm’s website or social media

Risks not covered

Third party cover does not include theft from your firm’s office account by either third parties or employees. You would need to buy a policy with a crime insurance element to cover this.

Buying cyber insurance

Before you buy cyber insurance, you need to understand the potential threats to your firm and the level of risk you'll accept. You should create your own risk management process.

Assessing the risk

When assessing the risks your PII policy does not cover, you should consider:

  • how much sensitive information your firm holds
  • what the reputational damage would be if you experienced a data breach
  • if you would need expert help to identify and respond to a cyber attack
  • how well you could recover from an attack - the costs of restoring software and data, avoiding bad publicity and not losing fee income

Using a broker

You should discuss your firm’s insurance needs with a specialist broker who is an expert in cyber and crime policies. Discuss removing unnecessary elements in the policy, such as cover for regulatory fines and penalties, that are already covered by your firm’s PII policy. This may lower your cyber insurance premiums.

Your broker should advise on issues relating to your cyber and PII policies, including:

  • if both will be triggered by a cyber attack
  • how coverage disputes can be avoided
  • how excesses will be dealt with
  • if there are any exclusions in the policy


Getting started with cyber insurance  

Cyber insurance guidance for law firms  

Get discounted rates on cybersecurity services

> Back to contents list

Cybersecurity news digest

Stay up to date with all things cyber with our weekly cybersecurity and GDPR newsletter.


key lock
International data transfer

Learn in this one hour webinar more about data transfer, adequacy decisions, EU/US Privacy Shield

International data transfer > More