Risk Update March 2022

Rarely do geopolitical events create such a seismic shift in risk across the spectrum of law firms as we are seeing now.

Law firms of all sizes have long been a target for cyber attacks: examples include the Chinese-based hacking of Canadian firms for inside information on a $38-billion corporate takeover in 2010, the 2017 NotPetya attack, attributed to the Russian military, which closed down DLA Piper’s emails for six days in 2017, the massive data breach at Mossack Fonseca which led to the Panama Papers, and at the other end of the scale, a small American personal injury firm targeted for medical information.

We have also seen significant attacks on the Simplify Conveyancing Group and two sets of chambers.

Professional indemnity policy wordings have been changed: we mentioned the Solicitors Regulation Authority (SRA) consultation on changes to the SRA Minimum Terms and Conditions (MTC) in our September 2021 Risk Update.  The intention behind the changes was to make clear that cover was intended to apply only to client claims, not the firm’s own losses.

Of great concern, is that professional indemnity policies and cyber policies will typically contain exclusions for war and terrorism.  In November 2021, the Lloyd’s Market Association Bulletin published four “Cyber War and Cyber Operation Exclusion Clauses” for standalone cyber policies, though the drafting of them may leave something to be desired. Insurers have on occasions sought to rely on war and terrorism exclusions following cyber attacks.  (An unsuccessful attempt in the US courts was mentioned in our January Risk Update.)

Policies written in compliance with the MTC are subject to a proviso in respect of civil liability and related defence costs arising from any actual or alleged breach of duty in the performance of legal work but this may not be so in the case of excess layer professional indemnity or cyber policies; nor is there such a proviso in the Council of Licensed Conveyancers’ Minimum Terms and Conditions.

The risk of insurers seeking to rely on a war exclusion is now substantially increased by events in Ukraine and would doubtless be considered if an attack were made on a provider of software services such as accounts or case management, crippling a large number of firms at the same time.  We have seen attacks on IT providers including Microsoft, SolarWinds and Kaseya over the past year.  We could see a repeat of the problems which beset many businesses when insurers contested their covid-related claims on business interruption policies.   This would be far from satisfactory when a key benefit of cyber policies is the breach response support.

Hence we ask “Will insurers be running for the hills over cyber as they did with Covid claims?”  A large part of our work involves protecting firms from wrongful declinature of cover by insurers and conflicts of interest on the part of their panel lawyers. We recovered several million pounds from insurers for clients with Covid claims, but that does not alter the fact the policies were sold on the basis that they would provide peace of mind and protect them in their hour of need, which they manifestly failed to do.

A joint advisory from the National Cyber Security Centre (NCSC), Australian Cyber Security Centre (ACSC), Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) details the increased globalised threat of ransomware and the mitigation steps organisations can take.  (A link is on www.legalrisk.co.uk/News.)

Cyber insurance is becoming more expensive and proposal forms more onerous.  Proposal forms need to be considered critically to ensure that firms are not warranting that certain measures are invariably taken when in fact they are only ‘usually’ taken.

It is therefore imperative that firms review their information security in the light of developments.  For those relying on external IT support, that may fall short of requirements on information security support which may need to be secured elsewhere. One measure which seems not to attract mention in articles is the (free) National Cyber Security Centre Early Warning Service. This provides incident notifications, network abuse event alerts, and vulnerability and open port alerts.

The new standard form International Data Transfer Agreement (ITDA) and Addendum to the new EU Standard Contractual Clauses (SCC Addendum) for transfers of personal data from the UK to countries not covered by UK adequacy decisions come into force on 21 March 2022.

The old EU standard contractual clauses may continue to be used for transfers from the UK for contracts signed on or before 21 September 2022 until 21 March 2024 adapted for use in the UK context – provided there are no changes to the processing operations or the subject matter of the contract, and provided they ensure a level of protection equivalent to that under the UK data protection regime.  Guidance appears on the Information Commissioner’s Office website.

Links to data protection resources are on www.legalrisk.co.uk/Data.

The SRA published a news release on 23 February 2022, warning that all SRA-regulated firms must have appropriate policies in place to ensure they comply with sanctions legislation, including undertaking regular and appropriate checks of sanctions lists.

The Russia (Sanctions) (EU Exit) (Amendment) Regulations 2022, in force from 10 February 2022, amend the designation criteria of The Russia (Sanctions) (EU Exit) Regulations 2019. Designation criteria now include those who have been involved in obtaining a benefit from or supporting the Government of Russia.  (Links to both documents are on www.legalrisk.co.uk/News.)

With almost daily additions to sanctions lists, firms which are more exposed to higher risk clients will need to consider electronic monitoring of not only client lists but also counterparties.  They should also check how often the providers update the electronic checks, the data sources and use of filters and fuzzy matching.

The Money Laundering and Terrorist Financing (Amendment) Regulations 2022 (S.I. 2022/137) amend the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (S.I. 2017/692) mainly changing the time limits for registration of trusts (extended to 1 September 2022) but also adding further exclusions to the type of trusts which are required to register. There are certain other minor changes.

Chainalysis published its 2022 Crypto Crime Report, explaining how cryptocurrency is used in money laundering and ransomware.

Links to both documents are on www.legalrisk.co.uk/News. Extensive resources can also be found on www.legalrisk.co.uk/AML.

We have commented in previous issues on the number of coverage issues we encounter, despite the breadth of cover which solicitors enjoy under the MTC.  We are also encountering a number of issues where defendant panel firms are conflicted.

In Doorway Capital Ltd v American International Group UK Ltd [2022] EWHC 182 (Comm) (link: www.legalrisk.co.uk/News) it was held that there was no right to indemnity under a policy written under the MTC for a claim relating to the firm’s funding as the claim did not arise from the provision of services in private practice as a solicitor.  Sutherland Professional Funding Ltd v Bakewells [2011] EWHC 2658 (QB) and Impact Funding Solutions Ltd v Barrington Support Services Ltd [2013] EWHC 4005 (QB) considered. Obiter, the trading debt exclusion would have applied.