A new clause making it clear what cover will be provided for cyber losses will be added to the minimum terms and conditions of law firms’ professional indemnity insurance (PII) policies.
The addition, drawn up by the Solicitors Regulation Authority (SRA) working closely with both the legal profession and insurers, has been submitted to the Legal Services Board (LSB) for final approval. If agreed, it should be in place for any insurance renewals from early 2022 onwards.
The SRA proposed the additional clause following the Prudential Regulation Authority and Lloyd’s of London asking insurers across the UK to make sure they focus on losses arising from cybercrime in all policies, including those written for law firms.
The clause means insurance policies will explicitly mention cover for cybercrime and specify what losses fall within scope for a potential claim. The cover is for client and third-party protection – losses to the law firm (first-party losses), except for certain costs of investigating and defending a claim, are not covered. Firms can choose to purchase a separate cyber policy for other risks.
The SRA ran a public consultation over the summer on the addition of the new clause, followed by further discussions with insurer representatives and the Law Society based on the feedback received.
Paul Philip, SRA Chief Executive, said
“Professional indemnity insurance offers key protection for the public. Law firms handle large amounts of client money and sensitive information, and that makes them an attractive target to cybercriminals. The clause on cyber losses provides real clarity for consumers, law firms and insurers about client and third-party protection in the event of cyber-attack, without changing the amount of cover specified by the minimum terms and conditions.”
Insurers can continue to offer standalone cyber insurance policies, a decision the SRA describe as “for the firm to consider having regard to its own risk profile and how it runs its business.”
In the interim, the SRA advise that insurers should not be altering the terms of their (SRA) PII policies. Nor do they expect insurers to be using the proposals or any lack of specificity to imply that firms are not covered for claims in respect of civil liability, or other losses in scope of the Minimum Terms and Conditions, that arise because of a cyber-attack.
The SRA has published a summary of the responses to its consultation and its position on those responses, as well as all responses received: https://www.sra.org.uk/sra/consultations/consultation-listing/pii-cyber/
