Cybercrime clause makes liability clear
21 October 2021
A new clause making it clear what cover will be provided for cyber losses will be added to the minimum terms and conditions of law firms’ professional indemnity insurance (PII) policies.
We have drawn up the addition working closely with both the legal profession and insurers, and it has been submitted to the Legal Services Board (LSB) for final approval. If agreed, it should be in place for any insurance renewals from early 2022 onwards.
We proposed the additional clause following the Prudential Regulation Authority and Lloyd’s of London asking insurers across the UK to make sure they focus on losses arising from cybercrime in all policies, including those written for law firms.
The clause means insurance policies will explicitly mention cover for cybercrime and specify what losses fall within scope for a potential claim. The cover is for client and third-party protection - losses to the law firm (first-party losses), except for certain costs of investigating and defending a claim, are not covered. Firms can choose to purchase a separate cyber policy for other risks.
We ran a public consultation over the summer on the addition of the new clause, followed by further discussions with insurer representatives and the Law Society based on the feedback received.
Paul Philip, SRA Chief Executive, said: ‘‘Professional indemnity insurance offers key protection for the public. Law firms handle large amounts of client money and sensitive information, and that makes them an attractive target to cybercriminals. The clause on cyber losses provides real clarity for consumers, law firms and insurers about client and third-party protection in the event of cyber-attack, without changing the amount of cover specified by the minimum terms and conditions.’
We have published a summary of the responses to our consultation and our position on those responses, as well as all responses received.