Never before has the legal profession relied so heavily on its IT systems as it has since the beginning of lockdown almost a year ago.

As a profession we recognise that this is the new reality but we are not the only ones who have a heightened interest in these new ways of working. Statistics published by the SRA illustrate that the potential exposure and vulnerability that remote working has created have also captured the attention of criminals intent on breaching our systems for financial gain.

The SRA has reported that phishing scams increased by 337% during the first two months of lockdown in 2020 and that over approximately the same period, law firms lost £2.5m to cyber criminals. The SRA says of these losses ‘much of this was covered by insurance’. This is because currently the SRA’s Minimum Terms and Conditions (MTCs), that govern the way that professional indemnity policies for solicitors are written, mean that any loss of client funds which creates a shortfall on client account will be deemed to be a ‘claim’ and will trigger the operation of the policy.

The profession has relied on the assumption that, under the current MTCs, if they are the subject of a cyber-incident involving the theft of client money they can rely on the terms of their professional indemnity policy to make good the shortfall.

This is not the whole story. Cyber incidents take a number of forms and do not always involve the theft of client money. Solicitors hold enormous amounts of sensitive client information. Any breach affecting the integrity of our IT systems could and probably will involve a data breach, which will have potentially serious implications, even if there has been no threat to client money.

Solicitors are obliged to self-report such matters to the SRA and in some cases a report to the ICO will also be required. Claims for damages by the client or third party whose data has been compromised are also common.

In this situation the profession turns to its insurers to respond to these losses. But will this be possible in the future?

There has been a great deal of debate recently on the issue of so called ‘silent cyber’. Silent cyber refers to the potentially inadvertent inclusion of cover that responds to cyber risks on the basis that such cover is not specifically excluded. This is problematic for all insurers, as in some cases they have found themselves liable for risks that they did not intend to cover and have not charged for in their calculation of the premium.

In response to this growing problem, the Prudential Regulation Authority and Lloyd’s have required all insurers to revise their policy wordings to make it clear whether this risk is included or specifically excluded for cover.

From the beginning of January 2021, all professional indemnity insurers at Lloyd’s were required to specifically include or exclude cover for this risk. The Lloyd’s Market Association and the International Underwriting Association of London have produced model endorsements for their members to adopt.

My colleague, Julian Miller, worked with the IUA to draft one of the model endorsements.

A further endorsement has since been published by the LMA.

This has been a complex process for the market. Slightly different approaches are adopted in the endorsements published by the IUA and LMA, and the endorsements require careful analysis to consider their effect.

It is complicated further by the fact that a number of professions, not just lawyers, have policies that are governed by MTCs.

For PI policies other than for solicitors, the general principle now is that claims that arise as a result of a cyber-act or a cyber-incident will be excluded from cover, as will claims arising as a result of a breach of data protection legislation. The IUA clause differentiates between direct and indirect causes. This reflects that there may be intervening (negligent) conduct which should be insured.

For solicitors the position is different. An extension of time has been agreed between Lloyd’s and the SRA until 1 October 2021 to consider the implications of varying cover and to consult with stakeholders, including the Legal Services Board. Until the outcome of that consultation is settled, insurers cannot include the model endorsements in solicitors’ PI policies.

Solicitors are one of the few professions which hold client money and accordingly the financial consequences that arise from a cyber-incident can be severe. As a consequence, the SRA will need to give careful consideration to the best way to proceed, given the importance that the SRA places on the protection of the public. They will always want to be satisfied that client money is protected by a valid PI policy that will respond to any shortfall. To date, there has been no suggestion from any regulators that stand-alone cyber cover should be mandatory, and this may be unwelcome in a hardening market, yet risks which are excluded from PI policies may be considered sufficiently critical to require cover in some manner.

Solicitors and their insurers will be monitoring the position closely over the next few months and as part of the SRA’s consultation, which is due to open by the end of April 2021, will be able to express their views. We understand that a draft clause prepared by the SRA is already in circulation amongst Participating Insurers.

 

Clare Hughes-Williams is a professional risks partner at international law firm DAC Beachcroft