Cyber insurance can be a useful addition to any business, but law firms in particular can benefit from that extra protection.
That’s because law firms handle sensitive and valuable data, relying on computer systems to conduct their day-to-day activity. This makes them an attractive target for cybercriminals.
Despite the risks, the Law Society of England and Wales found that seven in ten firms still don’t have cyber insurance. This is partly down to the misconception that the risk of suffering a breach is small compared to the cost of protection. We’ve also found that some law firms believe they have cyber cover as part of their indemnity insurance.
To help reduce your cyber risk, we’ve put together some things to consider:
- Check for insurance gaps: If you have solicitors’ professional indemnity insurance, you may think you have cyber cover as part of your policy. However the Solicitors Regulation Authority (SRA) revised the minimum terms and conditions in 2021. These changes explicitly exclude first-party losses, e.g. office account losses resulting from a cyber event. It’s important to revisit you policy to see if you currently have cover. If not, you may wish to take out cyber insurance.
- Protection and prevention: While cyber insurance is essential, it should not replace good cybersecurity practices. Law firms should prioritise protection and prevention measures to guard against cyber losses.
- Risk reduction: To reduce cyber risks, firms should implement strong system protection, disaster plans, and incident recovery processes. Effective controls and risk management processes may also help lower professional indemnity insurance premiums.
- Risk management: Firms should develop their risk management strategy, considering factors such as the volume of sensitive information held, reputational impact, and the ability to absorb costs following a cyber event.
- Cyber defence protocols: Insurers are increasingly scrutinizing cyber defence protocols. To help reduce your risk exposure, you should look at incorporating multi-factor authentication, endpoint protection, backups, incident response plans and vulnerability assessments.
- Policy provisions: Law firms should carefully review policy provisions, including requirements for preventative measures and adherence to cybersecurity standards like Cyber Essentials or Cyber-security Information Sharing Partnership.
- Notification of data breaches: Firms must be aware of separate regulatory requirements for the notification of data breaches. For example, you may wish to visit the following websites to learn more:
UK GDPR guidance and resources | ICO
GDPR for solicitors | The Law Society
Reporting and notification obligations | SRA
Once you’ve reviewed your current policies and processes, you may wish to add an extra layer of protection with cyber insurance. It protects your firm against the financial and reputational consequences of cyber incidents.
It’s designed to complement your existing cybersecurity practices and risk management efforts, meaning it shouldn’t be the only layer of protection you have in place.
If you’d like to get specialist advice on protecting your law firm, you can speak to one of our insurer brokers. At Wesleyan Financial Services, we work with a panel of insurers, to find you the right policy for your firm.