Mind the gap

The term “cyber” does not have a consistent meaning which is universally agreed and understood. Nor do the terms “cyber event”, “cyber risks” and “cyber insurance”. Definitions can vary with context. The ambiguity is not helpful when considering the availability and adequacy of insurance cover for liability and losses arising through, for instance, the impact on a firm of a computer virus or being the victim of cyber crime.

This article, read with the insurance gap analysis document referred to below, attempts to explain the protection provided by the Master Policy in this area, and touches on the extent to which other types of insurance may provide further protection. Whereas the boundaries of Master Policy cover are fairly clear, the diversity of other policies can make it quite complex to address the latter question.

Scope of Master Policy cover

Under the Master Policy, solicitors’ firms have the benefit of very extensive cover for loss arising from liability to clients – even liability due to a cyber event. For example, if a firm were targeted by criminals hacking into its IT systems and gaining information enabling them to steal client funds, the Master Policy would normally respond.

What about other types of liability or loss? What if a hacking attack puts the firm’s systems out of action, resulting in financial loss to the firm, or leads to a data protection breach and exposure to regulatory sanctions? What if the firm’s own money is stolen? The Master Policy would not cover any of these losses, but other insurances available can provide, alone or in combination, at least some protection. One, commonly referred to as crime insurance, would typically cover theft of a firm’s own money, including theft perpetrated by cyber crime.

Other insurance, and the insurance gap

Specialist “cyber risks policies” are offered by a number of insurers. Their scope varies, but they are typically presented as covering (with varying combinations, limits and options), many of the diverse range of impacts of cyber events. It is not the case, however, that a cyber risks policy is the only way to insure any of the wide range of cyber risks not covered by the Master Policy. To varying degrees, other types of policy may duplicate some, but not all, of the cyber risks policy cover. The potential for overlap or duplication is one reason why the insurance gap analysis may be useful.

The insurance gap analysis has been devised to help firms:

• identify the diversity of cyber risks, which of them could potentially impact on the firm, and how;
• consider the extent to which Master Policy cover applies to protect the firm;
• consider the extent to which, depending on the type of loss or liability, the firm might also be protected by its other insurances, e.g. general office insurances and any computer policies, any management liability/directors and officers (D&O) cover, and any fidelity or crime insurance.

The comments in the analysis aim to provide a basis for discussion of the extent to which the cyber risks described (a) fall within the scope of cover under the various types of insurance policy referred to; or (b) might be covered by specialist types of insurance such as crime insurance or cyber insurance.

The comments on cover included in the gap analysis are not intended as comprehensive descriptions. Inevitably, every liability or loss scenario involves a particular set of facts and the insurance position may differ subtly, or significantly, depending on those facts and, crucially, the types and terms of insurance in place.

The insurance gap analysis is available for downloading on the cyber risks section of the Marsh website for Scottish solicitors (www.marsh.co.uk/login/lawscot; for your practice’s login details, contact nada.jardaneh@marsh.com). The Marsh website also includes a risk identification/assessment diagnostic tool which firms may find helpful in identifying and assessing their own exposure to cyber risks and how well that is being addressed by their risk controls.

• Does the firm have crime insurance covering theft of the firm’s own money? Does it cover losses suffered, or costs incurred, by the firm arising out of “cyber events”?
• Does the firm have management liability/D&O liability insurance cover? Would that meet the costs of representing the firm in regulatory investigations, or proceedings at the instance of the Information Commissioner?
• Do the firm’s office insurances cover business interruption losses or loss of profits suffered as a result of the firm’s systems being down due to a cyber attack?
• Does the firm have insurance which provides, as a benefit, access to public relations consultancy and other expertise to mitigate the adverse impact on the firm?

Alistair Sim and Marsh 

Alistair Sim is a former solicitor in private practice, who works in the FinPro (Financial and Professional Risks) National Practice at Marsh, a global leader in insurance broking and risk management. To contact Alistair, please email alistair.j.sim@marsh.com

The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.

Marsh Ltd is authorised and regulated by the Financial Conduct Authority.