This article was first published on January 29, 2020 in the Law Council of Australia’s Australasian Law Management Journal.

A recent global survey of risk managers by Allianz reported that for the first time cyber incidents were regarded as the top peril for companies globally.  For professionals with special duties of confidentiality and fiduciary obligations to manage money held in trust, such as lawyers, the risks can be even greater.

In a recent study of 172 Australian and New Zealand law firms by ALPMA and GlobalX, 87% of respondents said that cyber security was a concern for their firm, and almost one in five respondents reported a cyber security breach at their firm in the last two years, with this figure jumping to almost 40% for firms with between 75-149 employees.  

Risk prevention includes implementing technical information security measures, staff education and risk management processes. But if, despite those measures, your firm is the victim of a cyber incident or email fraud, will you be covered under your insurance?

Insurance cover

When it comes to cyber events and email fraud impacting legal practices, three different types of policies may be required for comprehensive insurance cover – professional indemnity insurance, cyber insurance and crime cover designed to respond to electronic funds transfer frauds. While policy wordings can vary and should be considered carefully before making insurance decisions, the following general overview explains how different classes of insurance can support your firm’s cyber resilience strategy.*

Third party losses

Third party claims are usually made by clients and former clients, but they can be made by non-clients, such as beneficiaries under a deceased estate. Professional indemnity insurance (PII) policies for legal practices generally provide broad coverage for third party claims. If, for example, a client brings a claim against your firm for paying money into the wrong bank account as a result of an email scam in which you were given false bank account details for your client, then your PII policy is most likely to respond to any claim by the client against the firm.

However, where cyber fraud or email scams involve the loss of the practice’s own funds, a policy designed to cover only third party claims is unlikely to respond. The practice would likely be uninsured for this loss unless it had purchased a suitably worded crime policy or crime cover included under another policy.

Firm losses

Business email compromise involving impersonation fraud often involves firms’ own money. A typical example is known as “CEO fraud” and involves a fake email that appears to be sent by a managing partner to someone in the firm’s finance department. If the accounts officer fails to detect the scam and actions the payment requested in the fake email, the money is likely to become untraceable within a very short time frame. Crime policies, or crime cover included in other relevant policies, such as management liability or comprehensive cyber risk policies can provide cover for electronic crimes including funds transfer frauds as a result of business email compromise (it is however prudent to check that social engineering/impersonation fraud is expressly included). 

Cyber events involving computer intrusion through ransomware or hacking require urgent responses to contain damage, loss and disclosure of client information.

The ability to access specialist IT support at a time of crisis is an important feature of cyber insurance. For example, forensic IT experts who specialise in responding to cyber events hold keys that can unlock many types of malware, and are experienced in quickly identifying evidence of and responding to system breaches.

Cyber risk policies offer this type of crisis assistance which provides significant support in limiting the firm’s own business losses through proactive, early intervention. There are a range of policies for law firms to consider, each offering a different suite of coverages. Policies that are foundational in nature focus on coverage such as technical assistance in the case of a cyber event, defence costs and penalties for regulatory investigations, business interruption costs and cyber extortion payments. Policies designed to offer more comprehensive protection can include other types of cover such as comprehensive computer crime cover, reimbursement of costs associated with responding to fraudulent electronic communications impersonating your business and a range of other exposures.

Most importantly, lawyers should consider their individual practice needs when considering insurance for cyber events - before they occur. 

* This article provides a general overview of how different types of insurance policies might respond to cyber events. However, policy wordings vary across jurisdictions, insurers and policies, so you should check your own policies to assess the insurance cover presently available to your firm. This article provides general information only and does not constitute legal or insurance advice. If you require such advice, you should seek specific advice tailored to your circumstances.

Simone Herbert-Lowe,
Solicitor and Director,
Law & Cyber Pty Ltd.

© 2019 Law & Cyber Pty Ltd.

This article is subject to copyright. Except as permitted under the Copyright Act, 1968, no part of it may be reproduced, published, adapted or communicated to the public without the written consent of Law & Cyber Pty Ltd.