Sponsored content.

For so many businesses, it’s not a case of if, but when. In 2021, two in five UK businesses said they had experienced cybersecurity breaches or attacks in the previous 12 months, according to the UK government’s Cyber Security Breaches Survey 2021.

While cyber criminals often don’t discriminate when it comes to launching attacks, law firms are seen to be frequent targets. In 2020, the SRA reported 75% of law firms had been targeted by some form of cyber attack. And in 2021, the professional services industry was the second most-targeted industry for ransomware attacks, according to research from the global IT forensic response firm Kivu. In the UK alone, the legal sector has reported approximately 200 data security incidents per quarter to the Information Commissioner’s Office (ICO) in recent years. With the risks and sector targeting increasing, financial and reputational consequences can be severe for law firms, as threat actors not only lock systems and steal sensitive data, but also threaten to publish or sell it unless ransoms are paid. Containing the damage requires a careful, coordinated, prompt response.

When firms leave cyber protection to chance

When cyber events occur, it’s critical for a law firm to be certain about what their insurance policies cover and what they do not. A traditional Professional Indemnity (PI) policy will likely offer some cyber protections, particularly for third-party cyber liabilities due to the broad civil liability protection included in these policies. But cover for first-party loss to the business is less clear. In the wake of a ransomware attack, a firm relying on PI cover for cyber protection would have to make a difficult argument to have their first-party costs covered under their PI policy – and at a time when responsiveness is crucial to protecting a business.

A cyber policy, which explicitly provides such cover, often demonstrates its worth through its ability to quickly activate a coordinated response to a cyber security incident or privacy breach.

“The key reason for having a separate cyber policy is to have those first-party exposures covered,” said James Graham, Deputy Head of Professional Indemnity and Cyber at Travelers Europe. “The pre-arranged incident response service you get with a cyber policy brings together IT forensic investigations, technical guidance, legal advice to help a firm make the necessary disclosures to the ICO, public relations support, business interruption cover, data restoration and other resources a firm needs to respond quickly to a cyber incident and resume business.”

When a firm relies on its PI policy or other insurance covers following a cyber incident or privacy breach, it risks exposing them unnecessarily to costly specialist incident response providers, claim disputes and, potentially, paying more for insurance than it would have done otherwise.

“Even if a firm is fortunate enough to have their costs covered under their PI policy, it is likely that the excess would be higher than a cyber policy and would materially affect their PI claims record,” Graham said. “It also means there is less limit available for the liabilities the policy was designed to cover.”

The benefits of a risk-aware culture

A firm without standalone cyber cover is effectively rolling the dice, hoping their other covers will protect them following a cyber attack and accepting they will have to pay a higher excess as a result. On the other hand, simply having standalone cyber cover sends a message that the firm is committed to protecting its cyber security. Indeed, the ICO considers a firm’s insurance when evaluating their disclosures following a privacy breach – and has come down hard on those that appear to not have had a business continuity plan or disaster recovery plan in place. At the time of writing, the ICO had recently issued a penalty to a law firm found failing in their duty to implement the correct security measures in relation to a ransomware attack.

“Having a cyber policy with pre-agreed response services from the insurer at a pre-agreed rate is a good risk management tool,” said Davis Kessler, Head of Cyber at Travelers Europe. “It helps firms demonstrate to the ICO that they take cyber risk seriously and are doing all they can to protect themselves.”

Further to this, in a hardening insurance market, having a risk-aware culture can help a firm secure cover in the first place. Many insurers are tightening their requirements, writing cyber policies only for organisations with best-in-class multifactor authentication, as well as training on phishing, penetration testing, endpoint detection and response, and good patching hygiene. The cyber cover then helps the firm minimise any financial and reputational damage it suffers following an incident.

“Cyber cover is about being able to sleep easy at night,” Graham said. “Clients know that in the event of a cyber attack they can dial a 24-7 emergency number and reach a team to help them get back on their feet.”

To find out more about our standalone cyber offering visit travelers.co.uk/cyber or speak to your broker.

Resources

2022 Cyber security incentives and regulation review SRA Cyber security research report

Kivuconsulting Ransomware in 2022 report ICO/Tuckers - Action we've taken

ICO Data security incident trends - Action we've taken

 

Screenshot 2022-05-04 at 11.12.59

James Graham ACII

Deputy Head of Professional Indemnity and Cyber

E: jmgraham@ travelers.com

T: +44 (0) 203 207 6873 M: +44 (0) 7818 037 915

Topics