Law firms are prime targets for cyber criminals. As a solicitor, you are the trusted recipient of all sorts of highly confidential data. And moreover, your client account is likely to hold large sums, with significant sums tranferring at regular intervals.
The Information Commissioner's Office (ICO) has long been 'sounding the alarm' on data breaches in and from law firms - and this has been backed up by increasing numbers of breaches causing claims - both against firms' Professional Indemnity insurance (PII) and dedicated cyber policies.
Causes and relative costs of breaches
Research by the Ponemon Institute -(2014 Cost of Data Breach Study: United Kingdom)suggests that 40% of data breaches in the UK are caused by negligence or human error, 38% by malicious or criminal attacks and 22% by IT and system glitches. Nonethless the malicious and criminal attacks are the most costly.
The report suggests that the per capita cost (correct as at 2014 figures) is 56% higher than those caused by negligence or human error (£119 vs £76), so while it is very important to keep staff focussed on best practices and awareness, the wider protective measures you take are vital as well.
PII Gaps - what your Master Policy will not cover
Many firms still rely on their PII or Office policy to respond in the event of a theft of money or data, but that approach does expose some serious gaps. Your Master Policy will not provide cover for:
- loss of employee and partner information
- any damage to networks, servers or databases until (and unless) there is a client claim
- breach investigation expenses, including specialist legal advice, forensic investigations and IT recovery and security expertise
- costs of notifying affected clients, to offer appropriate credit and ID monitoring services and to and of hiring appropriate public relations expertise
- Cyber extortion expenses incurred
- Consequential loss of revenue resulting from a network interruption
Remember also that often the source of a breach is with a third party supplier. There may be arguments over liability and culpability, but meantime, your clients will demand that you respond to the breach, incurring the payment of various costs. These may not be recoverable from your third party suppliers, and nor would be covered by your PII.
PII policies are not designed to address the needs of firms suffering a cyber attack of any sort, and tend to be slow to respond. The policy coverage gaps also mean that you may be exposed to a dispute over coverage.
Doesn't my office insurance policy cover us?
Typically, an Office Policy will not respond unless there was been a break-in or clear physical damage inflected to property. policies only respond when there has been a physical event such as a break in or physical damage to property. They are not well suited to adress the increasing incidence of 'cyber' losses - which rarely inflict phyical damage to property. Your IT system may be critically damaged, and untold business damage inflicted, but your office policy is unlikely to respond, unless you have a special cyber extension, and even these typically are much less robust than a dedicated cyber/crime policy.
How Lockton can help
Lockton's specialist cyber-team is world-leading. But we do not just deal with the large mutinationals and corporates. We also have specialist teams and products designed for professional practices. If you want to discuss your practice's exposure to data security risks, or want to better understand how well your current insurances protect you, we can undertake a gaps analysis for you.
For more information, contact your Lockton Acccount Executive.