Protect your firm: understanding the cyber exclusion within your professional indemnity insurance

Understanding your risk

Law firms are seen as particularly appealing to cybercriminals, for the following reasons:

1. Sensitive client information

Law firms handle extensive confidential information, including financial records, intellectual property, personal data, and legal strategies.

This sensitive data makes them attractive targets for cybercriminals looking to exploit or monetise valuable information.

2. Financial transactions

Law firms often manage significant client balances.

Cybercriminals may target transactions to gain unauthorised access to funds, divert payments, or manipulate financial information for financial gain.

3. Limited cybersecurity measures

In comparison to other industries, many law firms have under-invested in their cybersecurity measures.

This makes them more vulnerable to cyberattacks, as hackers often exploit weaknesses in security systems, outdated software, or inadequate employee training.

4. Lack of cybersecurity awareness

Lawyers may not always prioritise cybersecurity or stay updated on the latest cyber threats.

This lack of awareness can make them susceptible to phishing attacks, social engineering, or other tactics used by cybercriminals to gain unauthorised access to the firm's systems.

5. Third-party access

Law firms often collaborate with third-party vendors, such as court reporting services, legal research providers, or document management platforms.

Cybercriminals may exploit vulnerabilities in these third-party services to gain access to the law firm's systems.

6. Potential for extortion

Given the sensitive nature of the information law firms possess, cybercriminals may leverage the data for extortion.

Threatening to expose confidential information or disrupt legal proceedings can be a powerful tool for coercing financial gain.

The limits of PII

You may think that all losses resulting from a cyberattack are covered by your PII, but that isn’t the case.

In 2021, the Solicitors Regulation Authority (SRA) made efforts to provide clarity regarding the coverage of your PII in the event of a cyberattack or similar incident affecting a firm.

This resulted in an exclusion clause being added to the policy which, at the time, was in line with a wider insurance market move to clarify the cyber position within professional indemnity policies.

Crucially, the new clause confirmed that insurers were able to exclude:

• a cyber act
• a partial or total failure of any computer system
• the receipt or transmission of malware
• malicious code
• the failure or interruption of services relating to core infrastructure
• breach of data protection law

However, it is important to note that any exclusion mentioned above does not exempt or restrict the insurers' liability in cases of civil liability, defence costs that would have been covered under the insurance regardless of the occurrence, or any penalties imposed by a regulatory authority.

There are instances where a loss won’t be covered under firms’ PII and where a separate cyber policy would be better placed to respond.

To help you better understand the potential risks involved, we have outlined a few scenarios for your consideration.

1. Theft of first-party funds via cyber hacking (hacker changes details, leads to wrong payment)

Normally, first-party losses (those affecting only the firm) are not covered under a PII policy.

Consequently, we would not expect there to be cover within your PII in this scenario and a cyber insurance policy should respond to this type of loss*.

2. Theft of third-party funds via cyber hacking (hacker changes details)

As this is a third-party loss (affecting individuals or organisations outside the firm) it would be covered by the PII*.

3. Mandate fraud (social engineering) (first party)

This is a first-party loss which is not normally covered under a PII policy.

Consequently, we would not expect there to be coverage in this scenario and a cyber insurance policy should respond to this type of loss*.

4. Mandate fraud (social engineering) (third party)

As this is a third-party loss, it would be covered by PII*.

5. Malware spreading to clients

This is intended to be excluded.

Consequently, we would not expect there to be cover under your PII in this scenario and a cyber insurance policy should respond to this type of loss*.

6. Liability for client loss from failure to give advice (due to ransomware event)

The failure to provide advice would be within the civil liability of the PII protection so this would not be excluded.

7. Professional error due to corrupt professional software

The provision of professional advice is within the scope of PII. We would therefore expect this to be covered.

8. Claim for damages alleging breach of UK GDPR and Data Protection Act 2018

If the only causes of action relied on by a claimant are under data protection legislation, the exclusion will apply, and the claim will not be covered.

A cyber insurance policy should respond to this type of loss*.

Conclusion

In today's digital age, the legal profession must navigate an increasingly complex landscape of cyber threats.

Law firms represent enticing targets for cybercriminals due to the wealth of valuable and sensitive information they manage, combined with potential weaknesses in their cybersecurity defences and a high-profile client base.

The sensitivity of the data handled by law firms, combined with the potential financial implications of a cyberattack, underscores the necessity of robust cybersecurity measures and comprehensive insurance coverage.

While PII provides essential protection, it is not all-encompassing, particularly in the face of evolving cyber risks. Thus, it is crucial for law firms to recognise the limitations of PII and supplement it with dedicated cyber insurance.

*Subject to its full policy terms and conditions.