In 2021, after a request from the Prudential Regulation Authority for greater clarity from insurers, the Solicitors Regulation Authority (SRA) revised its minimum terms and conditions (MTCs) for solicitors’ professional indemnity insurance (PII) to explicitly exclude first party losses (those affecting the firm rather than clients), which result from cyber attacks.
While such losses were not previously explicitly included in standard policies, the fact that they have now been excluded puts solicitors on notice that they should give serious thought to their potential liability if they suffer the negative consequences of a cyber attack and consider purchasing cyber insurance.
The Law Society’s guidance is for SRA-regulated entities (law firms) because they have to have the PII which complies with the SRA’s MTCs, and they could be affected by the new cyber exclusion clause.
While the new guidance is specifically focused on firms, cyber attacks could still affect members who do not work in organisations regulated by the SRA.
Much of the information included in the guidance is of wider relevance, and we encourage all members to consider their cyber security and cyber insurance needs.
According to a report by the Federation of Small Business, 38% of small businesses that have cyber insurance do not know what their policy includes,* so do take time to discuss your policy with your broker, and understand the protections you are putting in place.
Law Society president I – Stephanie Boyce, said:
“Protection and prevention should be a firm’s priorities to guard against damaging cyber attacks. Insurance is not a substitute for good protection, but an additional safeguard to cover certain costs and losses in the event of a cyber attack,”
“It’s not a strict regulatory requirement for solicitors to purchase cyber insurance – but it’s a sensible precaution. Failure to purchase such cover may conflict with solicitors’ regulatory responsibility to have ‘adequate and appropriate insurance,’ or leave them exposed to regulatory action for data breaches.
“Cyber insurance policies vary in scope and coverage. Some will allow for variation to better fit with the nature and activities of a firm or offer different levels of cover.
“It’s important firms understand the options, so that they can choose the cover that’s best for them.
“When considering whether to purchase cyber insurance, it’s wise for firms to understand the potential threat and exposure and develop its own risk management strategy should a cyber attack occur.
“Look at what risks are already covered by your PII policy and other existing insurance policies, which should highlight the limits of cover in existing policies.
“The risks identified but not already covered will serve as a guide for how a cyber/crime insurance policy can service your firm’s additional needs.
“As law firms continue to rely on technology, it’s important they understand the benefits of cyber insurance to ensure they’re covered should they be subject to a cyber attack.
“Solicitors should talk to their brokers about what the changes to the SRA’s minimum terms mean for their business, and purchase cover as necessary. They should also take this as an opportunity to examine their cyber security arrangements more broadly, and consider seeking a cyber security accreditation such as Cyber Essentials.”