Can cyber risks impact on your PII premium?

What changes are you seeing in professional indemnity insurance (PII) and cyber insurance cover?

Over the last few years, the PII market has hardened for the legal profession, with premiums steadily rising. This is not surprising given the increase in claims, many of which result from an increase in cybercrime, combined with a squeeze in underwriting capacity.

We have also seen more firms looking to supplement their PII with standalone cyber cover – especially following the clarification by the Solicitors Regulation Authority (SRA) in 2021 that, while its minimum terms and conditions of PII for solicitors registered in England and Wales will cover third-party claims arising from a cyber incident, it does not cover any of a firm’s own losses.

Standalone cyber premiums have also been rising quite dramatically. Cyber incidents give rise to heavy losses, and underwriters now know this. The days of cheap cyber cover are gone.

The upshot is that for both PII and cyber insurance, firms must be able to demonstrate that they have taken steps to understand the cyber threats and risks their business faces, and have put in place the technological and organisational measures necessary to control them. Otherwise, they are looking at very high premiums, with many firms finding they are unable to get cover at all.

How has this increased focus on cyber security affected law firms?

Underwriters are now asking quite detailed questions, not just about your technical security and how it is pressure-tested and monitored, but also about how you are training staff, your policies and procedures, general governance and independent assurance – all the things which are needed for actual data security, operational resilience, and legal and regulatory compliance. And if they don’t like the answers, you will be faced with hiked up premiums or a refusal to provide cover. Underwriters are now far more selective about the firms they are willing to cover.

What is causing this change?

Law firms are a prime target for cyber criminals. They hold lots of personal client and other confidential data, which has significant value in the wrong hands. They are involved in the movement of money and financial transactions, which criminals can divert and interfere with. Locking firms out of their data and systems for weeks and threatening to publish or sell highly confidential information can be rewarded with ransom payments running into the millions. Quite a few law firms have experienced just how devastating the impact can be on their finances and reputation.

Therefore, with claims on both PII and cyber policies increasing, premiums increase – and, naturally, firms are expected to implement a proper cyber risk management framework to control the risk.

So, what should law firms be doing?

Well, the starting position is that firms should be managing their cyber risk. Insurance must not be seen as a substitute for effective risk management. Any type of insurance is a fall-back position – a final layer – if things go badly wrong.

Cyber security should be right at the top of any firm’s risk register. It is a board-level matter, which the senior management team should take responsibility for. It is not something to be treated as an IT issue.

Accurately and comprehensively identifying your firm’s cyber risks is an important first step. This initial assessment must be undertaken before you can even begin to put in place the control measures necessary for your firm. The Information Commissioner’s Office (ICO) is quite clear on that point. The assessment should be undertaken by those who have specialist cyber expertise, combined with up-to-date knowledge of the current attacks that are breaching law firms’ defences.

And please appreciate that assessing risk and putting in place control measures is not a one-off MOT. Don’t forget your legal obligation to have a process for regularly testing, assessing and evaluating the effectiveness of the security measures you have put in place. Your forms of ongoing assurance should be independent. Of course, law firms also have additional regulatory obligations under the SRA’s Code of Conduct.

Will my insurance premiums be lower if I control my cyber risk?

Well, it is not quite as simple as applying a particular percentage discount. But by demonstrating that you take cyber risk management seriously, you will show that you are a well-run organisation, motivated to protect your business and clients from harm. You’ll be able to achieve both PII and (if you require it) additional cyber cover, at the best rates possible. You should inform your broker about the protections and assurance you have in place. It is important when you are applying for cover to ‘tell your story’, either in your proposal documentation or other presentation material.

Is there anything else you think firms should be aware of?

In the past, many underwriters did not have a particular focus on cyber risk. But the landscape has changed, and they now better understand how high the risk of a cyberattack can be in a poorly managed firm, and the disastrous impact it can have. So, firms must up their game. They must seriously and professionally manage this risk.

Finally, please bear in mind that there is no policy which will fully cover the losses you will sustain if you suffer a serious cyber breach. I have seen, at first hand, the consequences of an email account takeover or a ransomware attack. It is not pretty. No insurance will make good the disruption caused by downtime, the damage to reputation, loss of clients or restoring clients’ faith in you, fines from the ICO, damage to internal relationships, the sleepless nights and so on.