PII special: cybercrime incident response

Recent PwC research revealed that cybercrime accounts for 44% of Britain’s economic crime. Law firms are not immune. Insurer QBE recently stated that its insureds had suffered 150 successful cases of ‘Friday fraud’ and 10 times as many failed attempts.

You would therefore expect firms to be rushing to buy cyber-liability cover, but it is thought to be the largest uninsured risk in the UK.

Cyber-premiums are comparatively low, there is a broad range of insurers providing cover, and the purchase process (unencumbered by the lengthy proposal form associated with professional indemnity (PI)), is straightforward. So why the reluctance to buy?

Firms often believe they benefit from cover under another policy, for example PI, business interruption or crime. These policies do offer some cover for cyber-related losses. PI, for example, should cover third-party losses arising from a hack. Concerns about duplication of cover and attempts to minimise insurance spend could, therefore, justify not purchasing a separate cyber-policy.

Cyber-losses are a recent phenomenon so insurers’ interpretation of which policy responds is something of a moveable feast. There is also lack of clarity about cover for first-party losses under a PI policy, but most cyber-policies will offer cover for some first-party losses, such as those arising from social engineering.

But should cover for financial loss be the principal driver for buying a cyber-policy? Not according to many cyber-underwriters. What should convince a firm to buy is the specialist incident response service the cover offers, not typically available under other insurance policies.

Cyber-criminals are sophisticated. You are unlikely to succeed in continuously protecting your practice, so you must be equipped to respond appropriately and rapidly:

• Do you have immediate access to the expertise required to resolve a CryptoLocker attack?
• How would you minimise reputational damage if your clients’ personal information is stolen?
• What would you do if an employee lost a company laptop which provides access to your practice management system?
• How would you cover the cost of hiring specialist crisis management advisers and how would you know which firms to work with?

First and foremost, cyber-cover is a risk management product. If the specialist support and balance sheet protection offered by cyber-cover does not justify a purchase decision, then consider the increasing likelihood that corporate clients will demand evidence of both appropriate insurance cover and incident response procedures.   

John Wooldridge is a partner at Howden Professional Indemnity