Caspar Rogers, at our partner Paragon, explains the basics of cyber insurance cover and how this fits in with your firm’s professional indemnity insurance.
In 2021, the Solicitors Regulation Authority (SRA) addressed the potential for cyber-related losses to slip through the gap between a firm’s professional indemnity insurance (PII) and cyber insurance policies.
At the time, PII policies contained non-affirmative, ‘silent cyber’ cover, at odds with the SRA’s objective for its Minimum Terms and Conditions (MTCs) to provide “absolute clarity what is and what is not covered in the event of a firm being subject to a cyber-attack/event”.
After consultation with the profession and the insurance industry, the SRA added a clause to its MTCs affirming that PII policy coverage for cyber-attack losses falls within the scope of a claim for civil liability against a regulated law firm.
In theory, the adoption of affirmative cyber cover would appear to separate PII and cyber insurance policies, but in reality the two are closely linked, both in terms of risk management and claims cooperation.
As we emerge from the October renewal season, it’s likely that one of the critical questions PII underwriters will be asking during renewal negotiations will be about the firm’s attitude towards cyber security.
Verifying your firm purchases cyber insurance from a reputable insurer can go a long way to demonstrating the adequacy of your IT infrastructure and the effectiveness of your firm’s risk controls.
Purchasing cyber insurance will necessitate a review of your organisation’s IT framework during the insurance application process.
Cyber insurers frequently provide access to various technical and risk management information to aid in implementing any identified remedial activity.
Practical assistance such as cyber profiling, which is typically offered at little or no cost to firms, assists in developing a solid IT infrastructure that can be documented and evidenced to stakeholders, such as underwriters.
What does cyber insurance cover?
Cyber insurance protects the firm against losses in the event of a data breach or cyberattack. Firms depend extensively on technology to run their operations and files. A breach in IT systems can cause significant disruption, substantial legal costs and reputational harm.
Unlike PII, which is governed by the SRA’s MTCs, cyber insurance policies vary from one insurer to another, but in essence, coverage is provided for your own first-party losses following a data breach or cyberattack. Cyber insurance also provides extensive response management services to help the firm through a challenging time.
Typically, cyber insurance policies are tailored to the specific needs of each firm and include both basic and supplementary coverage, such as:
- Third-party legal liability, defence costs and compensatory damages.
- Loss of assets or funds resulting from a network security compromise.
- Costs and expenses to repair, restore or replace damaged data.
- Insurance against business interruption, including net profit loss and additional operational expenses.
- Legal fees associated with evaluating any regulatory violation and costs relating to contacting any affected persons.
- Defence, investigation costs and fines, where they are legally insurable.
- Paying extortion demands and expenses incurred to end a cyber threat.
- Developing strategies to mitigate reputational damage.
These standard headline coverage examples provide an overview of what the firm can expect to be covered by a cyber insurance policy, but it’s essential to work with your broker to assess your firm’s specific needs and tailor the policy accordingly.
What are the threats?
There is a broad range of cybercrime threats, each with its unique methodology and level of complexity; nonetheless, there are some more common types of cybercrime threats, including:
- Hacking: Skilled computer experts deliberately target firms to identify weaknesses and breach their IT networks. Hackers might be driven by financial gain, notoriety, political ideology, espionage, or any combination of these motives.
- Malware: A broad term for computer viruses designed to grant unauthorised access to computer files and systems. Malware can exploit operating systems and software vulnerabilities, particularly if the firm’s IT infrastructure is not correctly maintained.
- Ransomware: Typically, hackers gain access to IT systems to launch ransomware attacks through e-mails containing malicious attachments or embedded links. Commonly referred to as a ‘trojan horse’ virus, the software prevents access to files and data unless a ransom is paid.
This list of potential threats is by no means exhaustive. Threats can emanate from within your organisation, such as a discontented employee who steals information, a laptop or other data storage devices.
If a firm sustains a cyber-attack, your insurance broker will coordinate the resources available from your cyber and professional indemnity insurers to respond to the unique set of circumstances in order to achieve an optimal outcome for the firm. During the event management process, a decision will be made whether there are purely first-party (cyber insurance related) losses or if there is a potential third-party impact that will necessitate the coordination of both cyber and professional indemnity insurers. If, for example, there is a ransomware demand, a multi-tiered threat can emerge:
- Extortion: This occurs when cybercriminals demand money by compromising data or threatening server failure. Extortion is a type of cyber blackmail in which the perpetrator encrypts files and then demands money, typically cryptocurrencies such as bitcoin, to recover the information. In a successful attack, the cybercriminal can often demand payment before threatening to actually launch the attack. If the ransom is unpaid, the attack will be executed.
- Double extortion: This is a form of cyberattack in which criminals copy a firm’s confidential data and possibly encrypt it. This gives the cybercriminal greater bargaining power to collect ransom payments from the firm, often by threatening to post sensitive data on the dark web. The cybercriminal carries out a twofold extortion attack by first locating and gaining access to extremely sensitive data from the firm’s network, then copying the data to their own servers after gaining access to the files.
- Triple extortion: Building on the strategy of double extortion, cybercriminals have added a new tier to cyber-attack where the ransom demand does not simply end with the firm. In the practice of triple extortion, ransom demands might be made of the firm’s suppliers or clients. Triple extortion threats can develop from the initial extortion methods described in examples one and two.
Both cyber and professional indemnity insurers will likely be involved in managing the event in the double and triple extortion scenarios. If, however, the event seems to be simply extortion, as in scenario one, there is still a latent double or triple extortion threat.
The Law Society says that “protection and prevention should be your firm’s priorities to guard against damaging cyber losses” and that “insurance is not a substitute for good system protection”. Although we would endorse this sentiment, privacy, cyber and technology liability insurance offers an effective risk transfer solution and provides cybercrime management support when you need it most. And when it comes to your PII renewal, buying cyber insurance from a reputable insurer could be one of your greatest assets when evidencing the robustness of your IT infrastructure.
This article is published without responsibility on the part of the author or publishers for any loss occasioned by any person acting or refraining from action as a result of any views expressed in the article. Specific risk management advice requires detailed knowledge and analysis of firm and practice area facts relating to the risk. The information included in this article cannot and does not attempt to satisfy this requirement for any of its readers.