Question & Answer: Can I reduce my PI insurance premium by reducing my cyber risk?

In this article, we interview Lindsay Hill, Chief Executive Officer at Mitigo. Lindsay is a solicitor and experienced CEO. He has spent 35 years as a specialist in legal and regulatory compliance and business risk management, including legal obligations for cyber and data security.

Share this post

What changes are you seeing in PII and cyber insurance cover?

Over the last few years, the PII market has hardened for the legal profession, with premiums steadily rising. This is not surprising given the increase in claims, many of which result from an increase in cybercrime, combined with a squeeze in underwriting capacity.

We have also seen more firms looking to supplement their PII with standalone cyber cover – especially following the clarification by the SRA in 2021 that whilst the Minimum Terms and Conditions, which apply to PII for law firms, will cover third party claims arising from a cyber incident, they do not cover any of the firm’s own losses.

Standalone cyber premiums have also been rising quite dramatically. Cyber incidents give rise to heavy losses, and underwriters now know this. The days of cheap cyber cover are gone.

The upshot is that for both PII and cyber insurance, firms must be able to demonstrate that they have taken steps to understand the cyber threats and risks their business faces, and have put in place the technological and organisational measures necessary to control them. Otherwise they are looking at very high premiums, with many firms finding they are unable to get cover at all.

How has that increased focus on cyber security by underwriters affected law firms?

Underwriters are now asking quite detailed questions, not just about your technical security and how it is pressure tested and monitored, but also about how you are training staff, your policies and procedures, general governance and independent assurance. All the things which are needed for actual data security, operational resilience, and legal and regulatory compliance. And if they don’t like the answers, you will be faced with hiked up premiums or a refusal to provide cover. Underwriters are now far more selective about the firms they are willing to cover.

What is happening with cyber incidents that is causing this change?

Law firms are a prime target for cyber criminals. They hold lots of personal client and other confidential data which has significant value in the wrong hands. They are involved in the movement of money and financial transactions which criminals can divert and interfere with. Locking firms out of their data and systems for weeks, and threatening to publish or sell highly confidential information can be rewarded with ransom payments running into millions. Quite a few law firms have experienced just how devastating the impact can be on their finances and reputation.

Therefore, with claims on policies increasing (both PII and separate cyber), premiums increase and naturally firms are expected to implement a proper cyber risk management framework to control the risk.

So what should law firms be doing?

Well, the starting position is that firms should be managing cyber risk. Insurance must not be seen as a substitute for effective risk management. Any type of insurance is a fall back position, a final layer, if things go badly wrong.

Cyber should be right at the top of any firm’s risk register. It is a board level matter which the senior management team should take responsibility for. It is not something to be treated as an IT issue.
Accurately and comprehensively identifying your firm’s cyber risks is an important first step. This initial vulnerability risk assessment must be undertaken before you can even begin to put in place the control measures necessary for your firm. The ICO is quite clear on that point. The assessment should be undertaken by those who have specialist cyber expertise, combined with up to date knowledge of the current attacks which are breaching law firms’ defences.

And please appreciate that assessing risk and putting in place control measures is not a one off MOT. Don’t forget your legal obligation to have a process for regularly testing, assessing and evaluating the effectiveness of the security measures you have put in place. Your forms of ongoing assurance should be independent. Of course, law firms also have additional regulatory obligations under the SRA’s Code of Conduct.

So will my insurance premiums reduce if I control my cyber risk?

Well, it is not quite as simple as applying a particular percentage discount. But by demonstrating that you take cyber risk management seriously, you will show that you are a well run organisation, motivated to protect your business and clients from harm. You’ll be able to achieve both PII and (if you require it) additional cyber cover, at the best rates possible. You should inform your broker about the protections and assurance you have in place. It is important when you are applying for cover, to “tell your story”, either in your proposal documentation or other presentation material.

Conclusion

In the past, many underwriters did not have a particular focus on cyber risk. But the landscape has changed, and they now better understand how high the risk of a cyber attack can be in a poorly managed firm and the disastrous impact it can have. So firms must up their game. They must seriously and professionally manage this risk.

Finally, please bear in mind that there is no policy which will fully cover the losses you will sustain if you suffer a serious cyber breach. I have seen at first hand the consequences of an email account takeover or a ransomware attack. It is not pretty. No insurance will make good the disruption caused by downtime, the damage to reputation, loss of clients or restoring client’s faith in you, fines from the ICO, damage to internal relationships, the sleepless nights etc.

CYBER SECURITY UPDATES

Sign up for the latest advice and information about keeping your business cyber secure.

Share this post