James Graham, Deputy Head of Professional Indemnity and Cyber at Travelers Europe
In tandem with other covers, cyber insurance provides the best cybersecurity shield, says James Graham of Travelers Europe.
For so many businesses, it’s a case of not if, but when. In 2021, two in five UK businesses said they had experienced cybersecurity breaches or attacks in the previous 12 months, according to the UK government’s Cyber Security Breaches Survey 2021.
While cyber criminals often don’t discriminate when it comes to launching attacks, law firms are seen to be frequent targets. In 2020, the Solicitors Regulation Authority reported 75 percent of law firms had been targeted by some form of cyber attack. In 2021, the professional services industry was the second most-targeted industry for ransomware attacks, according to research from the global IT forensic response firm Kivu. In the UK alone, the legal sector has reported approximately 200 data security incidents per quarter to the Information Commissioner’s Office (ICO) in recent years.
With the risks and sector targeting increasing, financial and reputational consequences can be severe for law firms, as threat actors not only lock systems and steal sensitive data, but also threaten to publish or sell it unless ransoms are paid. Containing the damage requires a careful, coordinated, prompt response.
“The key reason for having a separate cyber policy is to have those first-party exposures covered.” James Graham, Travelers Europe
When firms leave cyber protection to chance
When cyber events occur, it’s essential for a law firm to be certain about what its insurance policies cover and what they do not. A traditional Professional Indemnity (PI) policy will likely offer some cyber protections, particularly for third-party cyber liabilities due to the broad civil liability protection included in these policies.
Cover for first-party loss to the business is less clear. In the wake of a ransomware attack, a firm relying on PI cover for cyber protection would have to make a difficult argument to have its first-party costs covered under the PI policy—and at a time when responsiveness is crucial to protecting a business.
A cyber policy which explicitly provides such cover often demonstrates its worth through its ability to quickly activate a coordinated response to a cybersecurity incident or privacy breach.
The key reason for having a separate cyber policy is to have those first-party exposures covered. The pre-arranged incident response service you get with a cyber policy brings together IT forensic investigations, technical guidance, legal advice to help a firm make the necessary disclosures to the ICO, public relations support, business interruption cover, data restoration and other resources a firm needs to respond quickly to a cyber incident and resume business.
When a firm relies on its PI policy or other insurance covers following a cyber incident or privacy breach, it risks exposing them unnecessarily to costly specialist incident response providers, claim disputes and, potentially, paying more for insurance than it would have done otherwise.
Even if a firm is fortunate enough to have its costs covered under its PI policy, it is likely that the excess would be higher than a cyber policy and would materially affect its PI claims record. It also means there is less limit available for the liabilities the policy was designed to cover.
“In a hardening insurance market, having a risk-aware culture can help a firm secure cover in the first place.”
The benefits of a risk-aware culture
A firm without standalone cyber cover is effectively rolling the dice, hoping its other covers will protect it following a cyber attack and accepting it will have to pay a higher excess as a result. On the other hand, simply having standalone cyber cover sends a message that the firm is committed to protecting its cybersecurity.
The ICO considers a firm’s insurance when evaluating its disclosures following a privacy breach—and has come down hard on those that appear to not have had a business continuity plan or disaster recovery plan in place. At the time of writing, the ICO had issued a penalty to a law firm found failing in its duty to implement the correct security measures in relation to a ransomware attack.
“Having a cyber policy with pre-agreed response services from the insurer at a pre-agreed rate is a good risk management tool,” says Davis Kessler, head of cyber at Travelers Europe. “It helps firms demonstrate to the ICO that they take cyber risk seriously and are doing all they can to protect themselves.”
Further to this, in a hardening insurance market, having a risk-aware culture can help a firm secure cover in the first place. Many insurers are tightening their requirements, writing cyber policies only for organisations with best-in-class multifactor authentication, as well as training on phishing, penetration testing, endpoint detection and response, and good patching hygiene.
The cyber cover then helps the firm minimise any financial and reputational damage it suffers following an incident.
Cyber cover is about being able to sleep easy at night. Clients know that in the event of a cyber attack they can dial a 24/7 emergency number and reach a team to help them get back on their feet.
Trvaelers, Cybersecurity, Technology, Cyber, Professional Indemnity, Insurance, Reinsurance, James Graham, UK