Risk transfer through insurance
Key
insights:
Regardless of size, cyber risk is a significant risk to all law firms
Professional indemnity policies often provide broad coverage for third party claims but not the firm’s own losses
Cyber insurance can offer different, additional types of cover including specialist technical support
Cyber risk mitigation involves a combination of risk management and risk transfer, via appropriate insurance.
Every insurance policy should be considered by reference to individual policy wording and it is prudent to review your insurance policies rather than make assumptions about which events will be covered.
Professional indemnity insurance (PII) policies will often provide cover for claims for third party losses arising in the course of private legal practice, subject to the terms and conditions of the policy and the facts of the case.
However, where cyber fraud involves the loss of the practice’s own funds, a policy designed to cover only third-party claims would not respond. The practice would likely be uninsured for this loss unless it had purchased a suitably worded crime policy or endorsement (under a management liability policy, for example).
Cyber risk policies can offer valuable assistance
Cyber risk policies can offer different types of cover including technical assistance in the case of a cyber event (as defined in the policy), defence costs and penalties for regulatory investigations, business interruption costs and cyber extortion payments.
Cyber events require urgent responses to contain damage and loss or disclosure of client information. The ability to access specialist expertise at a time of crisis can be an important feature of cyber insurance. For example, IT experts who specialise in responding to cyber events hold keys that unlock malware, and are experienced in quickly identifying evidence of and responding to system breaches.
Law practices should consider their individual needs when considering insurance for cyber events - before they occur.