The extent to which losses caused by cyber attacks are covered by law firms’ professional indemnity insurance (PII) policies is to be clarified by the Solicitors Regulation Authority (SRA).
It has launched a consultation on adding a clause on cyber losses to the minimum terms and conditions of insurance to provide “absolute clarity” for law firms, insurers and consumers, without altering the scope of consumer protection.
Cyber-attacks are on the rise; cybercrime caused £2.5m of reported losses to law firms in the first half of 2020 alone.
The new clause would be “in line with the expectations that the Prudential Regulation Authority (PRA) and Lloyd’s of London have of insurers”.
The regulator said the PRA and Lloyd’s were concerned that some insurance policies were not specific enough about exactly which cyber-related losses were covered.
“This means that firms might wrongly think they have PII cover for certain types of loss arising out of a cyber-attack, or that firms might be paying for the same cover through several policies (for example, the separate cyber insurance policies) when they have no need to do so.
“The PRA and Lloyd’s are therefore requiring insurers to take steps which include making provision for cyber losses explicit in their insurance policies, including for PII.”
Under the proposed clause, losses caused by a cyber-attack “which fall within scope of a claim for civil liability against a regulated law firm” must be covered by insurers.
The change “should not directly alter the premiums paid by law firms” because such claims were already covered and reflected in premiums.
The loss to the law firm itself in terms of its own money or reputation would not be covered, as is currently the case.
Many firms choose to purchase additional insurance to cover these losses and the change would have no impact on this, the SRA said.
The new clause would operate by adding an exclusion which set out that insurance may exclude liability for “first-party losses”, such as partial or total failure of any computer system, but then “make absolutely clear” that any such exclusion should not exclude or limit any liability of the insurer to indemnify a law firm against any claim for civil liability.
The changes would not affect current protections where, for example, a law firm’s laptop containing personal client data was left on a train by a solicitor and data accessed by a third party resulting in a loss to the client.
Paul Philip, chief executive of the SRA, said: “Cybercrime remains a major risk for all law firms – it’s the fastest-growing crime in the country. Law firms handle large amounts of client money and sensitive information, and that makes them an attractive target.
“The proposed clause on cyber losses provides real clarity for consumers, law firms and insurers about client and third-party protection in the event of cyber-attack.”
The consultation runs until 24 May.