Protect your firm: understanding the cyber exclusion within your professional indemnity insurance
Understanding your risk
Law firms are seen as particularly appealing to cybercriminals, for the following reasons:
1. Sensitive client information
Law firms handle extensive confidential information, including financial records, intellectual property, personal data, and legal strategies.
This sensitive data makes them attractive targets for cybercriminals looking to exploit or monetise valuable information.
2. Financial transactions
Law firms often manage significant client balances.
Cybercriminals may target transactions to gain unauthorised access to funds, divert payments, or manipulate financial information for financial gain.
3. Limited cybersecurity measures
In comparison to other industries, many law firms have under-invested in their cybersecurity measures.
This makes them more vulnerable to cyberattacks, as hackers often exploit weaknesses in security systems, outdated software, or inadequate employee training.
4. Lack of cybersecurity awareness
Lawyers may not always prioritise cybersecurity or stay updated on the latest cyber threats.
This lack of awareness can make them susceptible to phishing attacks, social engineering, or other tactics used by cybercriminals to gain unauthorised access to the firm's systems.
5. Third-party access
Law firms often collaborate with third-party vendors, such as court reporting services, legal research providers, or document management platforms.
Cybercriminals may exploit vulnerabilities in these third-party services to gain access to the law firm's systems.
6. Potential for extortion
Given the sensitive nature of the information law firms possess, cybercriminals may leverage the data for extortion.
Threatening to expose confidential information or disrupt legal proceedings can be a powerful tool for coercing financial gain.
The limits of PII
You may think that all losses resulting from a cyberattack are covered by your PII, but that isn’t the case.
In 2021, the Solicitors Regulation Authority (SRA) made efforts to provide clarity regarding the coverage of your PII in the event of a cyberattack or similar incident affecting a firm.
This resulted in an exclusion clause being added to the policy which, at the time, was in line with a wider insurance market move to clarify the cyber position within professional indemnity policies.
Crucially, the new clause confirmed that insurers were able to exclude:
- a cyber act
- a partial or total failure of any computer system
- the receipt or transmission of malware
- malicious code
- the failure or interruption of services relating to core infrastructure
- breach of data protection law
However, it is important to note that any exclusion mentioned above does not exempt or restrict the insurers' liability in cases of civil liability, defence costs that would have been covered under the insurance regardless of the occurrence, or any penalties imposed by a regulatory authority.
There are instances where a loss won’t be covered under firms’ PII and where a separate cyber policy would be better placed to respond.
To help you better understand the potential risks involved, we have outlined a few scenarios for your consideration.
1. Theft of first-party funds via cyber hacking (hacker changes details, leads to wrong payment)
Normally, first-party losses (those affecting only the firm) are not covered under a PII policy.
Consequently, we would not expect there to be cover within your PII in this scenario and a cyber insurance policy should respond to this type of loss*.
2. Theft of third-party funds via cyber hacking (hacker changes details)
As this is a third-party loss (affecting individuals or organisations outside the firm) it would be covered by the PII*.
3. Mandate fraud (social engineering) (first party)
This is a first-party loss which is not normally covered under a PII policy.
Consequently, we would not expect there to be coverage in this scenario and a cyber insurance policy should respond to this type of loss*.
4. Mandate fraud (social engineering) (third party)
As this is a third-party loss, it would be covered by PII*.
5. Malware spreading to clients
This is intended to be excluded.
Consequently, we would not expect there to be cover under your PII in this scenario and a cyber insurance policy should respond to this type of loss*.
6. Liability for client loss from failure to give advice (due to ransomware event)
The failure to provide advice would be within the civil liability of the PII protection so this would not be excluded.
7. Professional error due to corrupt professional software
The provision of professional advice is within the scope of PII. We would therefore expect this to be covered.
8. Claim for damages alleging breach of UK GDPR and Data Protection Act 2018
If the only causes of action relied on by a claimant are under data protection legislation, the exclusion will apply, and the claim will not be covered.
A cyber insurance policy should respond to this type of loss*.
Conclusion
In today's digital age, the legal profession must navigate an increasingly complex landscape of cyber threats.
Law firms represent enticing targets for cybercriminals due to the wealth of valuable and sensitive information they manage, combined with potential weaknesses in their cybersecurity defences and a high-profile client base.
The sensitivity of the data handled by law firms, combined with the potential financial implications of a cyberattack, underscores the necessity of robust cybersecurity measures and comprehensive insurance coverage.
While PII provides essential protection, it is not all-encompassing, particularly in the face of evolving cyber risks. Thus, it is crucial for law firms to recognise the limitations of PII and supplement it with dedicated cyber insurance.
*Subject to its full policy terms and conditions.
Find out more
Contact Gallagher today to discuss your cybersecurity strategy and explore their tailored cyber insurance solutions exclusive to the Law Society members.
The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area.
We make no claims as to the completeness or accuracy of the information contained herein or in the links that were live at the date of publication. You should not act upon (or should refrain from acting upon) the information in this publication without first seeking specific legal and/or specialist advice.
Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission, or mistake in this publication, nor will we be responsible for any loss that may be suffered as a result of any person relying on the information contained herein.
Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.