Cyber insurance and the legal profession

It is important to understand just how prevalent cyber fraud is in the UK, despite businesses’ increasing awareness of the risk posed to their IT infrastructure by fraudsters.

The UK government’s cyber security breaches survey 2023 contains some sobering information.

At least 32% of businesses in the UK identified a cyber security breach or attack during the last 12 months. Scaled up to represent all businesses in the UK, the survey estimates that there were 2.39 million instances of cybercrime and 49,000 cases of fraud resulting from cybercrime.

But despite these figures, only 21% of businesses have a formal response plan mapping out the actions to be taken following a cyber incident.

Moving on to data specific to the legal profession, the Solicitors Regulation Authority (SRA) published Cyber security – a  thematic review, which although covering a relatively small sample group (40 firms), confirmed the beliefs of many cyber specialists, including the National Cyber Security Centre, that fraudsters specifically target the legal profession.

Included in the SRA’s findings was that “three quarters (30) of the firms we visited reported that they had been the target of a cyber-attack. In the remaining 10 cases, firms reported that cybercriminals had directly targeted their clients during a legal transaction.

“While not all incidents culminated in a financial loss for clients, 23 of the 30 cases in which firms were directly targeted saw a total of more than £4m of client money stolen.

“While £3.6m of this was ultimately claimed against insurance policies, a further £400,000 had to be repaid directly from firms’ own money.

“These figures do not take account of the wider cost of such incidents to firms, for example higher insurance premiums, lost time and damage to client relationships.”

Why is the legal profession a target?

The National Cyber Security Centre, a part of GCHQ, released a cyber threat report on the UK legal sector in June 2023 to emphasise the extent to which the legal sector is currently targeted.

The report profiles five key incentives for cybercriminals:

1. “Law firms routinely handle highly sensitive client information (for instance relating to ongoing criminal cases, or mergers and acquisitions) that may be valuable to criminal organisations with an interest in exploiting opportunities for insider trading, gaining the upper hand in negotiations and litigation, or subverting the course of justice.”
2. “Disruption to routine business operations can be costly to legal practices, both in terms of billable hours lost due to outages and costs to clients that depend upon them, making legal practices particularly of interest to ransomware gangs aiming to extort money in return for restoration of IT services.”
3. “In many areas, from mergers and acquisitions to conveyancing, legal practices handle significant funds. The time pressures associated with transactions (as well as the large numbers of suppliers and clients and complex payrolls that law firms handle) create attractive conditions for phishing attacks and business email compromise.”
4. “Many legal practices, especially smaller firms, chambers and individual practitioners, rely on an external IT services provider, making it challenging for them to assess for themselves whether the controls they have in place are appropriate to the risk they face. A small law firm with few resources could be devastated if caught up by (for example) a ransomware attack. They are more vulnerable to attack, perhaps via unpatched vulnerabilities on unmanaged devices, or due to untrained staff or poorly offboarded leavers. Once attacked, a relatively small financial or reputational loss may be disastrous.”
5. “Reputation is critical to the business of law, which makes legal practices attractive targets for extortion.”

The NCSC’s cyber threat report contains a wealth of information apart from the extracts above. I would urge you to add this to your reading list.

Why do only a small percentage of firms buy cyber insurance?

Given the evidence that cybercriminals actively target the profession, instinctively, one might conclude that cyber insurance is a must-have component of a firm’s planned response to a cyber incident, but this is not the case.

Research published by the Law Society in its July 2023 PII survey summary indicates that only 28% of firms purchase cyber insurance. Perhaps the low uptake is borne of a misconception that cyber is covered by the firm’s professional indemnity (PI) insurance, but this is only partly true.

In 2021, the SRA, concerned that cyber-related losses might slip through any gap between PI and cyber insurance policies, addressed what came to be called “silent-cyber”, non-affirmative insurance conditions within its minimum terms and conditions (MTCs).

The SRA’s stated goal was to provide “absolute clarity what is and is not covered in the event of a firm being subject to a cyber-attack/event”.

The outcome was to redraft the MTCs to incorporate an affirmative-cover wording which excludes your own, first-party losses from the PI policy.

Complacency is another contributing factor; a cyber-attack will never happen to me. But what if it does?

In the event of a personal data breach, the clock is ticking. Your firm has just 72 hours to report the data breach to the Information Commissioner’s Office (ICO), recording what happened, who is involved and what the firm is doing about it.

Cyber insurers provide 24/7 crisis support, mobilising a panel of experts to resolve the IT breach, provide regulatory legal advice and minimise any adverse reputational impact for your firm.

What does cyber insurance cover?

While the SRA’s MTCs provide standardised coverage provisions, cyber insurance conditions – although broadly similar between insurers in offering cover for your first-party losses and crisis support – can vary from scheme to scheme.

Also, depending on the individual insurer’s perception of acceptable IT infrastructure and controls, underwriting philosophies will reflect differences in their risk profiling.

Because of the diversity of firms’ operations, cyber insurance policies should be tailored to the specific needs of each firm and include both standardised and supplementary coverage, such as:

• cyber risk liability – third-party legal liability, defence costs and compensatory damages and, where legally liable to pay, claimant’s costs as a result of a breach of network security or privacy
• loss of assets or funds resulting from a network security compromise
• costs and expenses to repair, restore or replace damaged data if damaged by a breach of network security
• insurance against business interruption, including net profit loss and additional operational expenses
• legal fees associated with evaluating any regulatory violation and costs relating to contacting any affected persons
• defence, investigation costs and fines, where they are legally insurable
• paying extortion demands and expenses incurred to end a cyber threat
• developing strategies and paying costs, including public relations fees and expenses, to mitigate reputational damage

These headline coverage examples provide an overview of what the firm can expect from its cyber insurance policy. Still, working with your broker to assess your firm’s specific needs and tailor the insurance policy is essential.

Which insurer should I choose?

In insurance markets where the availability of capacity might be limited, questions commonly posed relate to insurers’ financial standing and claims payability.

However, in the context of cyber insurance, there is a wealth of highly-rated insurers to choose from. One specific question we receive is whether cyber, where possible, should be purchased from the same insurer that provides PI cover.

Intuitively, it might appear that using the same insurer would provide a more coordinated claims management approach to an event involving first and third-party claims exposures.

In practice, we find that PI and cyber claims teams work independently, particularly as any third-party exposure is only likely to emerge some time after the cyber-attack is resolved.

Although many of our PI insurance partners provide cyber cover, our cyber insurance recommendations are based on the suitability of the insuring conditions and claims response service using a panel of insurers whose products have been extensively researched and validated by us.

The ICO’s number-one piece of advice on how to respond to a personal data breach is “don’t panic”, but in the heat of the moment, that’s likely to be easier said than done.

The clock is ticking down 72 hours from when you discover the breach, during which time you must find out what happened, try to contain the breach, assess the risk, act to protect those affected and, if necessary, submit your report to the ICO.

Add to this the potential disruption to your operation, evaluating extortion demands and taking measures to protect the firm’s reputation and the full enormity of the task at hand is all too apparent.

If you purchase cyber insurance, you’ll have the peace of mind that, at the end of the phone, a team of experts is at your disposal, 24 hours a day, to guide you through a challenging time for your firm.