Take cover: getting started with cyber insurance

With the rise of cybercrime, it has never been more important to ensure that your firm is protected against all threats should the worst happen. Law Society endorsed partner Hiscox provides a beginner’s guide to choosing a cyber insurance policy for your firm.

You’re in the middle of completing a complex corporate transaction, and receive an email headed ‘Please open the attached document.’ Although you don’t recognise the addressee, the email seems relevant to the transaction you are working on. It’s been a long day, and in an exhausted state you open the attachment, which, unbeknown to you, contains malicious software that locks not only your computer, but also the whole firm’s systems. It sounds plausible, doesn’t it?

Cybercrime has become a pervasive threat in the legal sector. Solicitors hold a mine of personal and sensitive data about their clients, which is often irresistible to hackers.

Hacking into a law firm’s IT systems is incredibly simple. One innocuous attachment to a very convincing-looking email is all it takes to start a chain of events that can potentially cripple a business.

Having security controls in place is vital. Certification to the government-backed Cyber Essentials Scheme should be a basic first step. Once this is in place, cyber insurance can provide a secondary layer of protection should the worst occur. As one cyber insurance broker put it: you wouldn’t insure your house until you’d fixed the front door.

How does cyber insurance work?

Cyber and data risks insurance offers comprehensive protection for your computer systems and data, all available in a single insurance policy. The aim is to get your business up and running again as soon as possible.

In addition, it can cover a number of costs, including business interruption, ransom amounts that need to be paid, as well as fines and penalties.

The recovery position

Incident response generally covers three elements:

  • IT forensic support, which will work to stop any virus from spreading, and restore your systems and data.
  • specialist legal support, to deal with any cyber law issues, and third party litigation.
  • PR crisis management, to assist with reputational issues, customer complaints that arise, and informing customers should their data have been lost.

Some insurers will offer cover subject to risk management requirements. These can be quite clearly set out in the early stages of a quote, but they can also be hidden in the small print and may be unreasonable or unrealistic. Some may ask for all items to be encrypted; others require systems to be kept up-to-date with security patches. Before agreeing to any conditions, make sure you can comply with them.

Many policies exclude what the insurance industry calls ‘crime’, namely the fraudulent theft of money, even cyber enabled theft, either from the firm’s own account or its client account. Although it may be covered by the firm’s professional indemnity insurance (PII), a separate crime policy may be needed if this is not the case. If you hold a lot of money in, for example, your client account, due to the large volume of conveyancing transactions you carry out, it may be worth considering crime cover. A full risk analysis can be carried out by an insurance broker.

Finally, bear in mind that although some insurance companies provide cover for PII, cyber and crime insurance, and will make sure their policies dovetail, there will usually be some overlap. It may be possible to carve this out in order to reduce premiums.

Hiscox cyber and data risks insurance is available to Law Society members with a five per cent discount (full terms and conditions available here). Visit our dedicated partner page or call our UK-based team of experts on 0800 840 2781. Please note that we are unable to provide any advice on the suitability of products.

Maximise your Law Society membership with My LS