Law firms that are the victims of hacker attacks, data breaches or lawsuits resulting from identity frauds are regularly in the headlines. We consider three scenarios to help you assess whether you should get cyber insurance cover.
Third party liabilityThe prime reason why law firms are such attractive targets for hackers is that they hold two things that criminals would dearly love to get their hands on: clients’ money and their personal information.
Solicitors have been the repeated targets of “man in the middle” scams, also known as “Friday afternoon frauds”, in which hackers gain access to their email system and send fake messages to have money intended for property deals diverted to their accounts. As much as £85 million was stolen from law firms in this way in an 18 month period up to March 2016, it has been estimated.
Hackers have also sought to extort money from law firms by locking them out of their computers systems or by stealing client records and demanding a ransom for their return. Meanwhile, the Panama Papers leak of confidential files should be a wake-up call for every law firm. Small firms are vulnerable – and popular targets – precisely because they are unaware of the risks they face.
If your clients’ money or data is stolen or lost as a result of a cyber attack then you should be covered under your solicitors’ PI policy, which protects you against claims for breach of trust and confidentiality.
Another growing risk faced by law firms – being sued for unwittingly being involved in a property scam, where a criminal impersonates the homeowner and sells it, which has resulted in a string of recent legal cases.
First party liability
Of course, it isn’t just clients’ money stolen in email scams: several law firms have had money stolen from their own accounts by cyber fraudsters, by sending emails to the accounts department posing as the managing partner. This isn’t covered under your PI policy, however. It isn’t routinely included in a cyber insurance policy either, although some insurers will offer limited cover for the loss of your own money as a result of a hack for an extra premium.
These are risks that are covered by another insurance, known as a commercial crime policy. So, if your firm is worried about losing its own money, or does a lot of conveyancing work then you should consider buying one of these policies.
If you suffer a breach
Many law firms have suffered a cyber attack, but few are prepared for it, according to a 2016 report by the Computer Response Team, part of the National Cyber Security Centre. Nearly two-thirds of law firms were victims of an attack in the previous year, it said, but barely more than a third had a crisis plan in place.
If you’re one of those firms that doesn’t have a detailed strategy for how to get your business up and running again following a hacker attack then cyber insurance coverage offers a readymade and cost-effective disaster recovery plan.
A cyber insurance policy provides:
The cost of repairing, restoring or replacing your computer system as a result of damage caused by a hacker attack.
Your defence costs and regulatory fines resulting from any investigations by the ICO, the information watchdog, into your data loss. It will also pay your legal costs and settle any claims made against you by clients for not keeping their information securely.
An IT expert to secure your system following a data loss and recover as much of your information as possible.
A legal expert to assist you in notifying regulators and customers, as well as the cost, if needed, in setting up an advice hotline and credit monitoring for those affected.
It’s important to remember that your firm doesn’t have to be the victim of a cyber attack to lose client data. A lost USB stick or stolen laptop containing client files could be just as devastating as a hacker. Law firms have a duty to keep their client’s information secure, and any mistakes could attract a stiff fine from the ICO. Next year, a tough new data protection law, the General Data Protection Regulation, comes into effect, with even harsher sanctions. The average cost of notifying regulators and clients of a data breach is already now £120,000, according to the Ponemon Institute, meaning a data breach could cripple, or even destroy, many law firms.
A cyber insurance policy covers all data breaches, not just hacker attacks. With most cyber policies now offering pretty good value for money, you should perhaps ask yourself: is it worth not having one?