Cyber FAQ

The 2024/25 group cyber risk policy is underwritten by Tokio Marine Kiln. Lawcover has purchased the group policy, in all other respects the cyber insurance relationship is between the insured law practice and Tokio Marine Kiln.

The cyber risk policy is specific to the risks faced by law practices. Subject to policy terms, cover is provided for:

• Crisis management costs and customer notification expenses
• Electronic business interruption and increased cost of working
• Cyber liability to third parties (to the extent these are not covered under other relevant policies)
• Privacy regulatory defence and penalties
• Cyber extortion payments consented to by the insurer

The policy limit for each law practice is $50,000 for all cover under the policy during the period of insurance. The applicable excesses under the cyber risk policy are based on each practice’s gross fee income for the last complete year, and range between $nil and $25,000, as shown below.

Law practices should consider whether this limit and breadth of cover is sufficient for their individual needs. An insurance broker or professional adviser will assist in making this determination.

Changes to the Privacy Act 1988 (Cth) from February 2018 require mandatory reporting of eligible data breaches for many law practices.

Regardless of size, all law practices should be aware of the privacy legislation because:

• Larger practices with annual turnover in excess of $3 million are subject to the legislation by default
• Practices holding tax file numbers are subject to the legislation for the purposes of those records
• Many law practices hold health records, which fall within the legislation (for example practices acting in personal injury litigation and holding medical information or practices holding medical certificates in relation to individuals’ legal capacity for the purposes of powers of attorney)

If your law practice falls into any of these categories it is required to comply with the new privacy regime.

Even if your law practice does not fall within this regime, protection of clients’ sensitive information is required under Solicitors’ Rules. Adequate cyber security protection is therefore an important component of modern legal practice.

Whether or not your law practice already has a cyber risk policy, Lawcover’s group cyber risk policy is available to your law practice should you choose to use it.

As noted above, law practices can consider increasing the limit and breadth of cover under this policy in place of any existing cyber risk policy, or simply maintain it in its current form.

There will be no reduction in PII premium paid by law practices if they choose not to utilise the group cyber risk policy, because the policy is provided to insured practices without cost.

To notify a cyber event under the policy, the law practice should contact the cyber incident response team at Colin Biggers & Paisley Lawyers (CBP Lawyers) who will make an initial coverage assessment. Notifications must be made as follows:

Phone: 1800 4BREACH (1800 427 322)

Email:  lawcyber@cbp.com.au

The CBP Lawyers cyber incident response team will assess the notified cyber event and advise the law practice whether coverage is available and if so, will act on a reservation of rights basis from that stage.

Lawcover is not the insurer for the group cyber risk policy and notifications should be made directly to the CBP Lawyers incident response team as above.

Click here to access all Lawcover cyber risk information, including a copy of the group cyber risk policy.