The Changing Face of Cyber Risk for Law Firms

 Source: Marsh's 2014 Global law Firm Cyber Survey

While cyber is not yet seen as the most significant risk law firms face, the sudden nature of an attack and the detrimental effects it poses means it is increasingly being written into risk management efforts as a rising priority. Law firms will no doubt remain a target of choice for cyber criminals due to the frequent and sizeable transfers of monies, which they can attack. Equally, there is high value, commercially sensitive and individual net-worth sensitive data that is attractive to criminals, all needing to be protected.

Cyberattacks are getting more and more sophisticated by abandoning the well-known methods of malware, ransomware and hacking attacks, and getting more granular in their approach. We're seeing examples of internal phishing where a hacked internal email is sent from the "managing partner" to the financial controller asking for payment to be made. In this scenario it is easy to ask the financial controller for their confidentiality on the subject as the payment may not be appropriate for firm-wide awareness.

The SRA and The Law Society are both concerned about this risk because no one really understands what the limits to cybercrime are. Underwriters are also beginning to ask a lot of questions around the procedures firms have in place in regards to their tracking of money and release of funds. Worryingly, there is no real defence if a transfer is hacked and diverted into the wrong account; the money will be gone and insurers have to pay. 

Cyberattacks can hit a firm hard and fast and the solutions will need to be found incredibly quickly. For conveyance, for example, underwriters are going to struggle with the pressure to replace the monies in the chain to avoid loss of deposits. Although PII covers such eventualities, this is an increasing concern for underwriters as losses can be considerable and growing as a percentage of their overall losses. If the trend continues it cannot be long before this aspect of cover comes under pressure and insurers start discussing its potential removal from the SRA's Minimum Terms and Conditions. Replacing this with separate insurance will have serious cost implications for firms.

No industry is as prepared for cybercrime as insurers would like and law firms are no exception despite their susceptibility. Aside from the Insurance costs, the outcomes of a cyberattack can involve reputational damage, regulatory investigation fines and business interruption, which could be injurious to the financial position of the firm. 
Although it is encouraging that law firms now acknowledge the seriousness of cyber risk, this acknowledgement needs to be converted into the implementation of preventative measures. Willis's Risk Barometer survey highlighted that small to medium-sized firms are struggling with this issue more than those with greater resources. Smaller firms can be more susceptible to cyberattacks due to smaller IT budgets, and the side effects of an attack, like business interruption, could be far more crippling for a smaller firm.

In short, cyber exposure is not just a significant risk in its own right; it can be the first domino in a chain of events. It is an enabler, amplifier or accelerator of existing risks that firms face. Investigating how to improve cyber risk management procedures and staff awareness is now just another box that needs to be checked.
Whilst many law firms rely on just the proposal form when renewing their PII, providing additional information can greatly assist negotiations and may achieve a better outcome. Underwriters need to fully understand what the firm does and what procedures they have in place to mitigate risk: if an underwriter is unaware of the good work you do to prevent claims occurring, a law firm could be paying a considerably higher premium than necessary. Additional information should be provided on the following key areas:

    1. What the firm does/Aspirations for growth etc.
    2. Conveyance analysis
    3. Clear claims information and summaries
    4. Disciplinary and compliance
    5. Risk Management - (including an awareness of cyber risk. To fail to display a clear awareness of cyber risk is to ignore one of the underwriters' biggest concerns at the moment.)
    6. Financial stability - still a concern for insurers

What exactly should a broker be doing for their client? It will come as no surprise that the Willis Risk Barometer indicated that a poor relationship with the incumbent broker is the biggest reason for changing to a different one; a bigger issue than cost. Some law firms may not be aware of how extensive (or otherwise) their broker's services can be and could be missing out on an array of services and advice, which would benefit their practice.

The best route to the PII market is with a broker that understands and meets the firm's specific needs. As with personal insurance, quick-fix low-rate online PII can easily be found and many would treat their PII as they would their car insurance. Many want the cheapest price available and they do not fully understand what is on offer. There are still many firms with unrated insurers even though alternative, piece proximate A-rated insurers may be available.

A law firm's relationship with their broker will depend on the specific needs of the firm itself. Some will require international capabilities but many do not. It is recognised, however, that large firms and small firms alike will have a better experience the more they engage with their brokers from day one. Good brokers can provide risk advice, take firms through their day-to-day claims process, engaging throughout the renewal process, provide input on strategy, review draft documents and attend conferences with the counsel to ensure their client's interests and reputation are protected at all times. If you have a claim that approaches your total limit of indemnity you'll certainly be pleased to know you have a quality advocate on your side.

In conclusion, the solicitors' working environment is constantly changing and many are looking at mergers and acquisitions of firms, teams, or lateral hires. It is important, therefore, that firms have a broker that can respond to this dynamic environment and provide cost-effective risk structures in the short and long term. Equally, they need to have the experience and excellent access to a wide range of insurers, which allows them to respond quickly when a firm wishes to seize an opportunity to further the firm's strategic plans.
Managing Partner:  http://bit.ly/1gjnZqi