Rarely do geopolitical events create such a seismic shift in risk across the spectrum of law firms as we are seeing now.
Law firms of all sizes have long been a target for cyber attacks: examples include the Chinese-based hacking of Canadian firms for inside information on a $38-billion corporate takeover in 2010, the 2017 NotPetya attack, attributed to the Russian military, which closed down DLA Piper’s emails for six days in 2017, the massive data breach at Mossack Fonseca which led to the Panama Papers, and at the other end of the scale, a small American personal injury firm targeted for medical information.
We have also seen significant attacks on the Simplify Conveyancing Group and two sets of chambers.
Professional indemnity policy wordings have been changed: we mentioned the Solicitors Regulation Authority (SRA) consultation on changes to the SRA Minimum Terms and Conditions (MTC) in our September 2021 Risk Update. The intention behind the changes was to make clear that cover was intended to apply only to client claims, not the firm’s own losses.
Of great concern, is that professional indemnity policies and cyber policies will typically contain exclusions for war and terrorism. In November 2021, the Lloyd’s Market Association Bulletin published four “Cyber War and Cyber Operation Exclusion Clauses” for standalone cyber policies, though the drafting of them may leave something to be desired. Insurers have on occasions sought to rely on war and terrorism exclusions following cyber attacks. (An unsuccessful attempt in the US courts was mentioned in our January Risk Update.)
Policies written in compliance with the MTC are subject to a proviso in respect of civil liability and related defence costs arising from any actual or alleged breach of duty in the performance of legal work but this may not be so in the case of excess layer professional indemnity or cyber policies; nor is there such a proviso in the Council of Licensed Conveyancers’ Minimum Terms and Conditions.
The risk of insurers seeking to rely on a war exclusion is now substantially increased by events in Ukraine and would doubtless be considered if an attack were made on a provider of software services such as accounts or case management, crippling a large number of firms at the same time. We have seen attacks on IT providers including Microsoft, SolarWinds and Kaseya over the past year. We could see a repeat of the problems which beset many businesses when insurers contested their covid-related claims on business interruption policies. This would be far from satisfactory when a key benefit of cyber policies is the breach response support.
Hence we ask “Will insurers be running for the hills over cyber as they did with Covid claims?” A large part of our work involves protecting firms from wrongful declinature of cover by insurers and conflicts of interest on the part of their panel lawyers. We recovered several million pounds from insurers for clients with Covid claims, but that does not alter the fact the policies were sold on the basis that they would provide peace of mind and protect them in their hour of need, which they manifestly failed to do.
A joint advisory from the National Cyber Security Centre (NCSC), Australian Cyber Security Centre (ACSC), Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) details the increased globalised threat of ransomware and the mitigation steps organisations can take. (A link is on www.legalrisk.co.uk/News.)
Cyber insurance is becoming more expensive and proposal forms more onerous. Proposal forms need to be considered critically to ensure that firms are not warranting that certain measures are invariably taken when in fact they are only ‘usually’ taken.
It is therefore imperative that firms review their information security in the light of developments. For those relying on external IT support, that may fall short of requirements on information security support which may need to be secured elsewhere. One measure which seems not to attract mention in articles is the (free) National Cyber Security Centre Early Warning Service. This provides incident notifications, network abuse event alerts, and vulnerability and open port alerts.