The Solicitors Regulation Authority (SRA) is to add a clause on cyber-losses to the minimum terms and conditions (MTCs) of insurance despite concerns expressed by the insurance industry.
The aim is to provide “absolute clarity” for firms, insurers and consumers, without reducing consumer protection.
However, according to a summary of the responses received to the consultation issued earlier this year, insurers argued that the clause should reduce the level of cyber-cover currently provided.
“Some said that the current MTCs give them limited scope to manage cyber exposure and this will impact on insurers’ risk appetites and pricing.
“Others argued alternatively that any losses caused by a cyber event should be subject to separate cyber insurance policies.
Conversely, the Law Society argued that the level of cover should be extended to cover first-party losses, saying some could even close without it.
As a result, the SRA reported nearly half the respondents warned of “unintended consequences” from the change.
The responses were “mixed” on whether the clause maintained the current scope or had changed the scope of cover.
“While most law firms agreed that the drafting met our policy objectives of maintaining current protections, many insurers and brokers argued that it did not. Some insurers thought the draft clause in the proposed format is too ambiguous and open to interpretation.”
The SRA argued that the new clause was needed to meet “the expectations” of the Prudential Regulation Authority and Lloyd’s of London, which were concerned that some policies were not specific enough about which cyber-related losses were covered.
However, the Lloyd’s Market Association (LMA), which represents 87 underwriting syndicates, told the SRA that it was possible the wording of the new clause might still not “meet the requirements of the Lloyd’s mandate” because it failed to “be explicit on what is or is not covered”.
The clause did not address “any type of user or operational error that is non-malicious, such as the scenario of a typographical error or accidental deletion of data”.
The LMA warned that there was “currently limited appetite” in the market to provide law firms with indemnity cover “due to broad coverage, restricted premiums and the current hard market”.
It went on: “We may see some insurers decide to withdraw further from the primary market to effectively manage their cyber exposures and limit their appetite to excess layers only.
“This may counterproductively result in difficulties for the SRA in managing their members’ expectations around premiums and ability to afford adequate level of coverage.”
The LMA added: “The scope of a PII policy should not operate to cover non-negligent liability or plug the gap of protections to consumers that a standalone cyber-policy may.”
The SRA said it held a post-consultation roundtable in July with its external lawyers, together with insurers, brokers and the Law Society.
The regulator said feedback from the roundtable was centred on the need for greater clarity on defence costs, which do not include the business costs of managing the cyber-attack.
There was also a preference “particularly from brokers for more positive drafting language to say when cyber is covered, rather than when it is not as set out in our draft clause”.
Taking this into account, the SRA said it has amended the clause “to add clarity around defence costs coverage and make explicit that there is no intention to expand the scope of defence cover from that which is currently required”.
The SRA said the new clause had now been submitted to the Legal Services Board (LSB) for approval. It aims to introduce the change as soon as possible and with maximum lead-in time for the insurer reinsurance cycle, which happens at the beginning of each calendar year.
The regulator added that it would “monitor the impact of the change and provide input on the wider issues raised about the level of cover for cyber incidents as part of the wider review of the PII market to be launched by the LSB”.
It noted too that the debate had brought into focus that the MTC did not cover losses to the law firm – except for certain costs of investigating and defending a claim – while separate cyber-policies went beyond to offer firms a policy “that will provide resources to both mitigate cyber threats as well as coordinate, investigate and remediate a cyber-attack”.
Paul Philip, chief executive of the SRA, commented: “The clause on cyber losses provides real clarity for consumers, law firms and insurers about client and third-party protection in the event of cyber-attack, without changing the amount of cover specified by the minimum terms and conditions.”