Silent cyber cover: changes to the Minimum Terms and Conditions for solicitors

Cyber crime against law firms is on the rise. It is accepted by insurers and professionals alike that law firms, because of sensitive client data they hold and the volume of transactions they carry out, will always be a target for cyber criminals. Indeed, for many years now, IT security has formed a key part of every business plan and a not insignificant part of every law firm’s budget. However, the perception, if not the reality, is that with Covid-19 forcing the whole of the profession to work remotely and with home working set to continue into the foreseeable future, the risk of a cyber attack has increased.

In September 2020 the SRA published its thematic review on cyber security in law firms. The review discusses the experiences of 40 law firms, all of which have been the target of previous cyber attacks. 30 of the 40 firms interviewed had been directly targeted and, in total, more than £4 million of client money stolen.  £3.6 million of that sum was recovered from insurance policies with the £400k shortfall to be met out of the firm’s own pocket together with any indirect costs resulting from the attack. Whilst such cost i.e. lost profit and reputational damage are often not insubstantial, it is fair to say that insurers have taken the brunt of the loss.

Under the SRA Minimum Terms and Conditions of Professional Indemnity Insurance (the MTCs), which dictate the extent of primary layer professional indemnity cover afforded to solicitors’ firms, indemnity is provided for civil liability arising out of private practice, regardless of the nature of the event that has resulted in the loss. By virtue of the definition of ‘claim’, this includes any obligation on the firm to remedy breaches of the SRA Solicitors Accounts Rules, whether or not any person has made a demand for, or intimated an intention to seek, civil compensation.

Whilst undoubtedly broad in its application to solicitors, PII does have its limitations; most notably it covers losses caused to third parties i.e. clients of the firm or other third parties. First party loss is excluded as are trading debts, legal liabilities, fines and penalties. In short, there is no cover for the firm’s own losses. The firm will need to look elsewhere (and to its own coffers if it does not have other insurance) should it, for instance, suffer a loss of profits due to business interruption because of a ransomware attack or be required to meet a fine by the ICO for a data breach caused by a leak of confidential client information.

On 13 April 2021, the SRA opened a consultation on changes to the MTCs to clarify the level of cyber cover provided by a solicitors PII. The intention on the SRA’s part is not to reduce the level of protection afforded to firms and consumers of legal service but rather to help the profession understand what cover is available and to assist them to decide whether they need to purchase separate cyber cover. The proposed approach is to add an exclusion within the MTCs which would allow insurers to exclude cover for first party loss arising from a cyber attack (which is not currently and has never been covered by the MTCs) but preclude insurers, save insofar as setting the liability limit, from reducing their liability for civil liability.

The current proposal does not seek to alter the wording of the insuring clause. That will remain unchanged. Rather, the SRA is seeking to bring about a more informed understanding on the cover provided for cyber attacks under the MTCs by setting out the parameters of what insurers may or may not exclude from cover. That being so, it is difficult to see how, from the everyday professional’s viewpoint, this will provide clarity. If the SRA’s proposal is accepted, unless a firm has purchased additional cyber cover from its PII provider, its PII policy is likely to contain the same clauses and provisions as it did in previous years. How then is that firm any better placed to know what is and what is not covered in the event of a cyber attack?

Granted, most firms will be relieved to know that the status quo (should the SRA’s proposals be accepted by the Legal Services Board) in respect of cover for third party losses arising from cyber crime will not be disturbed. However, it is unlikely that they will be better able to determine what is indemnifiable by their PII policy in the event of a cyber attack and for what losses the firm, absent other insurance, will be responsible. Insurers on the other hand might be disappointed (but not surprised) that the SRA has not taken the opportunity to reduce their exposure under the MTCs.

The consultation closes on 25 May 2021 and it is hoped that any changes will be made in time for 1 October 2021.