SRA backs new cyber-losses clause for indemnity policies


Philip: Clause provides real clarity

The extent to which losses caused by cyber attacks are covered by law firms’ professional indemnity insurance (PII) policies is to be clarified by the Solicitors Regulation Authority (SRA).

It has launched a consultation on adding a clause on cyber losses to the minimum terms and conditions of insurance to provide “absolute clarity” for law firms, insurers and consumers, without altering the scope of consumer protection.

Cyber-attacks are on the rise; cybercrime caused £2.5m of reported losses to law firms in the first half of 2020 alone.

The new clause would be “in line with the expectations that the Prudential Regulation Authority (PRA) and Lloyd’s of London have of insurers”.

The regulator said the PRA and Lloyd’s were concerned that some insurance policies were not specific enough about exactly which cyber-related losses were covered.

“This means that firms might wrongly think they have PII cover for certain types of loss arising out of a cyber-attack, or that firms might be paying for the same cover through several policies (for example, the separate cyber insurance policies) when they have no need to do so.

“The PRA and Lloyd’s are therefore requiring insurers to take steps which include making provision for cyber losses explicit in their insurance policies, including for PII.”

Under the proposed clause, losses caused by a cyber-attack “which fall within scope of a claim for civil liability against a regulated law firm” must be covered by insurers.

The change “should not directly alter the premiums paid by law firms” because such claims were already covered and reflected in premiums.

The loss to the law firm itself in terms of its own money or reputation would not be covered, as is currently the case.

Many firms choose to purchase additional insurance to cover these losses and the change would have no impact on this, the SRA said.

The new clause would operate by adding an exclusion which set out that insurance may exclude liability for “first-party losses”, such as partial or total failure of any computer system, but then “make absolutely clear” that any such exclusion should not exclude or limit any liability of the insurer to indemnify a law firm against any claim for civil liability.

The changes would not affect current protections where, for example, a law firm’s laptop containing personal client data was left on a train by a solicitor and data accessed by a third party resulting in a loss to the client.

Paul Philip, chief executive of the SRA, said: “Cybercrime remains a major risk for all law firms – it’s the fastest-growing crime in the country. Law firms handle large amounts of client money and sensitive information, and that makes them an attractive target.

“The proposed clause on cyber losses provides real clarity for consumers, law firms and insurers about client and third-party protection in the event of cyber-attack.”

The consultation runs until 24 May.




Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog


Keeping the conversation going beyond Pride Month

As I reflect on all the celebrations of Pride Month 2024, I ask myself why there remains hesitancy amongst LGBTQ+ staff members about when it comes to being open about their identity in the workplace.


Third-party managed accounts: Your key questions answered

The Solicitors Regulation Authority has given strong indications that it is headed towards greater restrictions on law firms when it comes to handling client money.


Understanding vicarious trauma in the legal workplace

Vicarious trauma can happen to anyone who works with clients who have experienced trauma such as domestic or other violence, child abuse, sexual assault, torture or being a refugee.


Loading animation