The Solicitors Regulation Authority has said that its proposal for a new cybercrime clause in insurance policies should not push premiums up for law firms.
The regulator has responded to the increased risk and scale of cyber-attacks in recent years with a planned change to the minimum terms and conditions for professional indemnity insurance. The proposal is that client losses caused by a cyber attack which could result in a claim against a firm must be covered: a new clause in the MTCs would make it explicit that consumer protection under insurance arrangements equally applies if any loss is because of a cyber event.
The SRA says its proposal – which is subject to consultation from today – maintains the current level of consumer protection and allow insurers to be clear and therefore better manage their exposure. Firms, it is argued, will also be in a better position to review whether they should purchase a cyber policy for other risks, for example to the firm itself.
But there will be concern among some firms, already facing steep increases in premiums and a tightening PII market, that any extra clauses will cause costs to rise further.
The SRA says the proposed change ‘should not directly alter’ the premiums paid by law firms, as claims for liability caused by a cyber-attack have always been considered to be in the scope of existing MTCs.
Any loss to the firm itself caused by a cyber-attack would still not be covered – for example, the PII policy is not intended to provide cover for the costs of rectifying any reputational issues, or a fine from the Information Commissioner’s Office. The SRA points out that many firms choose to purchase additional insurance to cover any business losses caused by cyber attacks and its proposal does not affect those products.
SRA chief executive Paul Philip said: ‘Cybercrime remains a major risk for all law firms – it’s the fastest-growing crime in the country. Law firms handle large amounts of client money and sensitive information, and that makes them an attractive target. Professional indemnity insurance offers key protection for the public. The proposed clause on cyber losses provides real clarity for consumers, law firms and insurers about clients and third-party protection in the event of a cyber attack.’
The consultation lasts until 25 May, and in the meantime insurers are being urged not to alter the terms of their policies, or to suggest that the proposal implies that firms are not already covered for cyber claims.