Is the Cyber Insurance marketing hardening for Solicitors?
In this month’s RISKUPDATE bulletin for the Manchester Law Society we look at what is a relatively new class of insurance and yet is already under some pressure.
Many law firms have been used to buying this class of insurance for some years now, initially from specialist Insurers only, before it became available more commonly around 2015/2016 when there would have been over 70 differing policy wordings offered in the market.
What Are We Seeing?
- In 2021 we came across Professional Indemnity (PII) Insurers for the first time insisting upon Cyber Insurance policies being in place before agreeing to effect PII cover.
- In line with all other PII policies, 2022 has seen the application of ‘Cyber and Data’ cover restrictions incorporated into the Minimum Terms & Conditions (see our April issue).
- Cyber claims! There are plenty of examples available in the press and on the internet. Many claims we know are sizeable and generally Insurers have responded well, however it is clear that the sector is being specifically targeted by ‘threat actors’(*), due to the volume of sensitive information that they hold.
*What Is A Threat Actor?
A threat actor, or malicious actor, is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe individuals or groups that perform malicious acts against a person or an organization of any type or size.
Impact on the Insurance Market?
- Naturally, the size and volume of claims paid out by Insurers ultimately has a knock-on effect on the availability and price of cover going forward.
- Already we have seen a hardening of the sector. At the very least, the question sets required by Insurers within their proposal forms are proving quite lengthy, with much focus on their ‘security’ requirements around a firm’s ‘Cyber’ controls and processes.
- Further, we see Insurers viewing law firms as a sector where they feel a need to tighten up in the knowledge that threat actors are stealing data (e.g. class actions lists, divorce settlements, or other sensitive client information) leading to disproportionate extortion demands that are far higher than any other industry sector. As a result, the sector has a far greater propensity to pay the ransom demands due to the possible reputational and legal repercussions, with limited consultation on their alternative options.
- One key Cyber Insurer of the legal profession tells us that over 80% of their largest ransomware claims in the last six months have related to law firms, all sub £50m revenues but some with revenues under the £5m mark.
- Ransom demands will in some cases be set having firstly taken account of the firm’s own income, profitability etc. – the Cyber criminals are doing their homework, seemingly taking account of what they think a firm can afford to pay.
- In turn, in some cases the market can now see a co-insurance provision requiring the Insured firm to pay 20% of the ransomware payment.
- Reduced Limits of Indemnity are becoming the norm.
Please take a look at the following links if of interest.
Treat Cyber insurance as a service, the last line in your defence against the criminals. The support Insurers can give if an attack does happen can be invaluable in terms of forensic investigation, PR and so on.
Good quality insurance solutions remain available for most law firms.