10 January 2022

SRA PI & Cyber Insurance Consultation – How Might You Be Affected?

Law Society Update: JANUARY 2022

RISKUPDATE is a bulletin we put together for the Manchester Law Society on a regular basis but is applicable to all Solicitors and Law practices in the UK.


Further to our comments in previous bulletins, you may be aware of the SRA consultation relating to ‘silent cyber’ cover within the minimum terms and conditions (MTC). The consultation period has been completed, and a detailed summary can be found here:

https://www.sra.org.uk/sra/consultations/consultation-listing/pii-cyber/#downlload

The ‘silent cyber’ issue has been an increasingly prominent topic given the growth in cyber claims and losses resulting from cyber-attacks, hacks and so on. The SRA MTC are intended to provide as wide a protection as possible. The SRA are not alone in reviewing their terms, e.g. other regulatory bodies have made restrictive changes to their own minimum terms, to ensure they provide clarity. What makes such a process more difficult is the number of insurers having to agree to a standardised wording with SRA, whilst considering the impact it can have to various stakeholders.

The nature of many solicitor firms of course makes them attractive targets to criminals with personal data held and in some cases client monies too.

As a result of the consultation, a draft clause has now been submitted to the Legal Services Board for approval. This was confirmed within their publication dated 21 October 2021. The consequences of the SRA’s stance remain to be seen, arguably the PII cover expands beyond professional negligence in the event of a cyber-attack/event, though it would not be the intention of PI Insurers generally to provide such extended cover as a matter of course and certainly not without some consideration on pricing.

However, Excess Layer Insurers are not bound by the rules of the SRA MTC and we have seen a variety of cyber endorsements applied recently to Excess Layer policies by Insurers. Examples see the Insurer excluding any loss arising from a cyber-act, computer system or Data Protection Law. Many firms may only hold a Primary policy under the MTC, however bigger firms particularly may hold several Excess Layer policies and must consider their exposure to cyber threats against the cover that might be available.

It remains unclear; could these restrictions seen in the Excess Layer market be a sign of things to come for Primary policies in years to come?

Our recommendation would be that a stand-alone Cyber Insurance policy is purchased. These policies provide key first-party protection and comfort in the event of a cyber-attack should a claim arise, with benefits such as assistance in the event of being hacked, forensic investigations, assistance with the response to requests for ransom and PR etc. The market is currently strong and certainly quotation options are available for legal practices of all sizes.

Please contact us as below if you wish to discuss further.

Contact us if you would like to discuss further.