Insurance policies will have to make clear whether cover is provided for cyber losses under new rules agreed by the Solicitors Regulation Authority.
The new clause outlining the extent of cover will be added to the minimum terms and conditions of law firms’ professional indemnity insurance policies. They will explicitly mention cover for cybercrime and specify what losses fall within scope for a potential claim.
The minimum cover is for client and third-party protection: losses to the law firm (first-party losses), except for certain costs of investigating and defending a claim, are not covered, and firms can choose to purchase a separate cyber policy for other risks.
The SRA proposed the additional clause after the Prudential Regulation Authority and Lloyd’s of London asked insurers across the UK to make sure they focus on losses arising from cybercrime in all policies.
A consultation followed over the summer in which the SRA worked with the Law Society and insurer representatives to create the new clause. Depending on approval from the Legal Services Board, the clause should be in place for renewals from early next year.
Paul Philip, SRA chief executive, said that law firms are attractive targets for criminals. ‘The clause on cyber losses provides real clarity for consumers, law firms and insurers about client and third-party protection in the event of cyber-attack, without changing the amount of cover specified by the minimum terms and conditions.’
The SRA says that the proposed change should not directly alter premiums paid by law firms as claims for civil liability caused by a cyber-attack have always been considered to be in scope of a compliant PII policy. Insurers can continue to offer standalone policies to law firms, but the regulator is not mandating that law firms buy separate cyber insurance policies.