Cyber insurance: Can you really live without it?

Some of the world's largest technology companies have been hacked to exploit them for financial or other gain, as a protest against the services they offer, or to damage their reputation. Even these technological bastions have been unable to protect themselves from a concerted hostile attack. One might reason that high-profile targets would attract a level of hacking resources that are unlikely to
be brought to bear against a provincial solicitor but this might not be the case.

Sophisticated hacking tools
are almost distributed as commodities these days through commercial websites and hackers' clubs. Their availability, coupled with an expert human resource pool spread across the globe, perhaps even in jurisdictions that represent a haven for cyber criminals, means that it is now cost effective for even the smallest commercial target to be subjected to sophisticated hacking techniques. Indeed, smaller organisations are now actively targeted by cyber criminals as they tend to be less secure and the hacking process can be automated, allowing criminals to bulk hack.

Prime target

In June 2015, the Solicitors Regulation Authority (SRA) warned that 'law firm client accounts are being targeted and solicitors and their clients are suffering disruption and potential loss. It is essential that firms understand the risks and take precautions to avoid falling
victim to these attacks.

'This is an issue that is not going away. This is obvious not just from the reports we are receiving direct from law firms and members of the public, but also in our discussions with local law societies.'

The SRA has 'warned repeatedly against the threat of cybercrime since it was first highlighted in its [March 2014] Risk Outlook spring update.

'The risk has not eased, however, and criminals are using increasingly sophisticated methods to obtain money or sensitive information fraudulently.'

The prize for successfully compromising a firm's client account is all too obvious. We must also bear in mind that solicitors hold extremely sensitive and confidential information and, as such, the legal profession has been identified in global surveys as a prime target.

To put the scale of the problem into context, the government's 2015 information security breaches survey, conducted by PwC, indicates:

• 90 per cent of large organisations and 74 per cent of small businesses have experienced security breaches;

• The cost of breaches has soared, with an average cost to large organisations of £1.46m to £3.14m and small businesses of £75,000 to £311,000; and

• The majority of UK businesses surveyed, both large and small, said they expected more security incidents in
  the coming year.

Cyber insurance

What would you do if your firm was the subject of a successful cyber-attack? How would you cope with the technological, regulatory, and commercial pressures your firm would be subjected to?

Cyber insurance products have been developed by some insurers specifically for the legal profession. As well as providing insurance coverage for exposures that are outside other insurance policies, such as professional indemnity and office insurance, the more sophisticated cyber insurance products provide a comprehensive and 'hands-on' breach management service in the event of a data breach.

Using experts in their respective fields, breach management can offer advice, assistance, and guidance to ensure: The incident is contained;

• Any compromised data is identified;

• Notification obligations are assessed;

• Data subjects are notified promptly where appropriate;

• Call centre services are engaged as necessary;

• Credit monitoring and web monitoring are made available where required;

• Regulators are notified and kept informed;

• Systems are returned to normal operation;

• Reputational issues are addressed via the appropriate media; and

• Any liability exposures are assessed and response strategies devised.

Some insurers are also able to advise on data breach prevention and planning to reduce the risk of an incident and to ensure your firm's readiness to respond should a breach occur.

Benjamin Disraeli famously said, 'I am prepared for the worst, but hope for the best.' Cybercrime is a real and persistent feature on the legal profession's risk landscape, so it is probably time you prepared for the worst. SJ

While care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent, or guarantee the accuracy, adequacy, completeness, or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.

Frances Lodge is director of the professional services group at Aon Risk Solutions