Law practices hold large amounts of sensitive information about clients and others which may be accessible electronically. At the same time, data is an increasingly valuable resource that is likely to be targeted or inadvertently disclosed through security breaches. Solicitors’ duty of care requires maintenance of client confidentiality, and law practices have an obligation to protect confidential and sensitive information and to respond quickly and appropriately where there is a risk that this information has been or may be disclosed. For this reason, crisis assistance is an important aspect of the cyber risk policy.
In addition, many law practices are becoming increasingly reliant on the ongoing availability of computer systems and networked technology for their day to day activities, meaning the consequences of a cyber-attack resulting in a firm’s computer systems being damaged or taken offline could be severe.
The cyber risk policy will respond to cyber events such as ransomware and other disruption attacks. However, it is important to note that the cyber risk policy will not respond to problems unrelated to a cyber event which arise through failure to maintain a computer and/or network.
It is prudent for law practices to ensure that up-to-date antivirus protection is in place, and to undertake frequent back-ups to ensure data can be restored in the event of an uncontained cyber-attack.
Look out for our new cyber security risk management advisories over the coming months.
The group cyber risk policy is underwritten by Barbican Insurance Group (Barbican) in London, through Barbican Syndicate 1955 at Lloyd’s. Lawcover has a long relationship with Barbican.
While Lawcover has purchased the group policy, in all other respects the cyber insurance relationship is between the insured law practice and Barbican.
The policy limit for each law practice is $50,000 for all cover under the policy during the period of insurance. The applicable excesses under the cyber risk policy are based on each practice’s gross fee income for the last complete year, and range between $1,000 and $25,000, as shown below.
Law practices should consider whether this limit and breadth of cover is sufficient for their individual needs. An insurance broker or professional adviser will assist in making this determination.
Extended cyber risk protection is available from Barbican via its local agent, London Australia Underwriting, subject to underwriting review. Law practices wishing to extend the limit or breadth of cover should speak with their own insurance broker. Alternatively, Lawcover has appointed a broker to assist those law practices that require advice. Details are:
Changes to the Privacy Act 1988 (Cth) from February 2018 will require mandatory reporting of eligible data breaches for many law practices.
Regardless of size, all law practices should be aware of the new privacy legislation because:
If your law practice falls into any of these categories it will be required to comply with the new privacy regime and you should prepare for its introduction in February 2018.
Even if your law practice does not fall within this regime, protection of clients’ sensitive information is required under Solicitors’ Rules. Adequate cyber security protection is therefore an important component of modern legal practice.
As noted above, law practices can consider increasing the limit and breadth of cover under this policy in place of any existing cyber risk policy, or simply maintain it in its current form.
There will be no reduction in Lawcover PII premium paid by law practices if they choose not to utilise the cyber risk policy, because the policy is provided to insured practices without cost.
To notify a cyber event under the policy, the law practice should contact Barbican via its incident response team at Colin Biggers and Paisley Lawyers (CBP) who will make an initial coverage assessment. Notifications must be made as follows:
Phone: 1800 273 224
The CBP incident response team will assess the notified cyber event and advise the law practice whether coverage is available and if so, will act on a reservation of rights basis from that stage.
Lawcover is not the insurer for the cyber risk policy and notifications should be made directly to the CBP incident response team as above.