After a very long 18 month period of isolation, we are all looking forward to never having to engage in Zoom calls with our colleagues again and seeing our friends and colleagues in person as the workplace gradually reopens.
Although not everything is going to return to the way it was in March 2020. Many workplaces are adopting a new permanent "hybrid" working system having mastered remote working over the past 18 months. Undoubtedly this modern way of working will be positive as it will enable employees to work part of their time from virtually anywhere with a good internet connection and will avoid the daily cost and time spent commuting either side of the working day.
But the pandemic has also marked a turning point in cyber security. Shortly after the start of the lockdown in April 2020, the UK's National Cyber Security Centre warned that cyber criminals were targeting individuals and organisations with a range of ransomware and malware. They also warned that these criminals were scanning for vulnerabilities in software and remote working tools. And law firms are a big target. Nicola Vince, Senior Claims Executive at leading Insurance Broker, Howden, comments:
“The Howden claims team has seen an increase in notifications from law firms relating to cyber incidents. This is consistent with reports of an increase cyber security issues in the wider community as a fallout of the pandemic.”
According to the SRA in the first half of 2020, nearly £2.5m of client money held by law firms in their client accounts had been stolen by cyber criminals – over three times the amount reported in the same period in 2019. In this article we consider the problems and how PII policies might respond to a cyber claim.
It is necessary to consider the meaning of cyber security. It is generally considered to mean the practice of protecting systems, networks, and programs from digital attacks, which are usually aimed at accessing, changing, or destroying sensitive information, extorting money from users, or interrupting normal business processes.
In September 2020, the SRA published its review of 40 firms which had suffered cyber security breaches describing the results of attacks as ‘…catastrophic’ for the businesses affected. This threat is an issue that clearly needs to be addressed carefully, particularly with remote working, which is a method of working that is here to stay.
Cyber criminals are sophisticated and their methods of attacks are constantly evolving. Hackers are always looking for ways to breach security systems and at a time where many business' security arrangements may not have been – and may not continue to be - sufficiently updated to secure levels, the threat of security breaches for firms remains a real risk that needs to be recognised and addressed by putting in place appropriate measures.
Too close to home
Perhaps the most significant recent warning that a cyber attack can happen to any legal business follows the recent report on 29 June 2021 that a leading set of London barristers' chambers, 4 New Square, who will be familiar to many PII Insurers, experienced a cyber security incident in the form of a ransomware attack. This reportedly affected c.6% of instructing solicitors over the past five years, causing a raft of problems for many of them and their clients relating to confidentiality/GDPR issues. Gately PLC also reported being a victim of a serious cyber attack on 16 June 2021, and more recently there have been reports in the press that a set of London barristers' chambers, 3 Verulam Buildings, also experienced an IT security incident on 9 July 2021.
As the number of cyber attacks at law firms continues to rise (and as more of their clients suffer losses through cyber attacks) consequently so has the number of claims made against PII policies.
The SRA issued a warning notice on 23 April 2020 reminding law firms that they are a priority target for cyber and ransom attacks for several reasons, including:
- the large amounts of money held on solicitors' client accounts and the increased risk of cyber criminals extorting a ransom in light of the strict Accounting Rules that solicitors are required to adhere to
- the sheer amount of email traffic passing to/from a law firm on a daily basis can make it easier for false emails to slip through the net. All it can take is for one employee not being as diligent as they should be, perhaps due to overwork, in failing to check the source of an email link, or even the sender
- the vast amount of confidential corporate and personal data held by law firms and the consequences of risks of GDPR breaches.
These are just three of many factors that make law firms in particular a focus for hackers. There are also heightened risks brought about by businesses Bring Your Own Device "BYOD" practices (not BYOB!). Employers should be vigilant to ensure that employees work within the security protection that their business networks would usually provide. A prime example of when that security may not be in place is when employees have access to work emails on personal mobile phones.
According to a recent reported study by the Ponemon Institute - 67% of security professionals say remote workers use their own mobile devices for work purposes. However, there is a lack of security, control and visibility over such unsecured personal devices making them extremely vulnerable targets. The risks include:
- lost or stolen devices
- data leakage
- unauthorised access to data and systems
- users downloading unsafe apps or content
- risk of malware infections.
Firms should refer to the SRA's support guide to ensure that they are doing what they can to eliminate/reduce risks.
The current position: 'silent cyber'
In order to protect client's financial interests and in accordance with the requirement under the Code of Conduct that solicitors are obliged to keep client money and assets safe, the solicitors' minimum terms and conditions for professional indemnity insurance (the MTC) require insurers to indemnify shortfalls on a solicitor's client account. However, cyber attacks are not limited to the theft of client money and can involve the loss of confidential data.
Whether cyber losses would be covered by a PII policy has been the topic of debate among insurers, brokers and policyholders for some time. The phrase 'silent cyber' refers to insurers' unknown liability to policyholders absent specific policy exclusions, for example, some insurers have found themselves liable for risks that they did not intend to cover and have not taken into consideration when calculating the premium.
So far as solicitors' policy coverage is concerned, Nicola at Howden also comments:
“Firms need to be aware that some losses arising from a cyber incident will not be covered under their PI policy. For example, a PI policy will not cover significant costs such as specialist assistance to mitigate an incident, communicating with affected clients or the financial impact of the interruption to the business. These are all issues which can be covered by a separate policy and we strongly recommend that firms review their current policies to ensure there is no gap in cover.”
Changes to the MTC
In response to this growing problem, the SRA is consulting on a proposal to change the MTC in relation to cyber cover. In line with the Prudential Regulation Authority's (PRA) expectation that insurers identify and manage cyber insurance risk. However, Lloyd's of London (Lloyd's) is concerned that current insurance policies can be vague on whether cyber-related losses are covered leaving law firms confused as to what is covered and sometimes paying for unnecessary additional, separate cyber insurance cover.
From the beginning of January 2021, all Lloyd’s PII insurers (other than solicitors PII) were required to specifically include or exclude cyber risks and the LMA and IUA have prepared template endorsements for insurance providers to adopt.
As professional indemnity lawyers regularly defending claims against solicitors, and often acting for insurers on coverage issues in relation to claims against solicitors, we are particularly interested in how the MTCs respond in the event of a cyber attack and the outcome of the SRA's consultation on the proposal to add a clause to the MTC setting out what is and what is not covered in the event of a firm being subject to a cyber attack/event.
The SRA's objective is to provide absolute clarity for law firms, insurers, and consumers (without altering the scope of consumer protection provided by the MTC) by proposing to add an exclusion to the MTC that insurers can exclude liability in respect of first-party losses caused by a cyber attack, but that such exclusion will not exclude or limit any liability of the insurer to indemnify a law firm against any claim for civil liability. This includes the obligation to remedy a breach of the SRA Accounts Rules.
This would mean that, for example, any cyber attack that leads to claim for civil liability that requires redress to be provided to a client or third party would be covered in line with the consumer protection already offered by PII. However first party losses such as the loss suffered by the business itself – for example, loss of the firm's own money or costs incurred rectifying any reputational issues caused by the cyber attack would not be covered under the MTC, nor would a fine from the ICO (Information Commissioner's Office) as a result of a cyber attack affecting confidential data.
The SRA's consultation closed on 25 May 2021 and we are waiting for the outcome to be published. At Womble Bond Dickinson we see no disadvantage arising from the proposed changes. Premiums are apparently unlikely to be affected on the basis that the level of protection afforded by the MTC is simply being maintained – i.e. the cover is already available (but in many cases unknowingly) and the proposals will provide clarity for insurers, law firms and their clients.
The proposed changes should reduce the number of coverage disputes following a cyber attack. Insurers can still offer standalone cyber insurance policies to law firms which provide cover for the firm's first-party losses referred to above, but this is currently not a regulatory requirement for law firms.