PI renewal and cybercrime Q&A
Published 7 December 2021
We have been asked some questions regarding our cybercrime proposals and this year's renewals. These are below with our responses.
The consultation closed in May and we held further discussions with insurers and others to make sure that we fully understood the aims of the drafting suggestions some had made, and clarified any potential unintended consequences.
Following our consultation and further discussions with insurers and others our Board agreed clarificatory changes to the MTCs about the scope of cover included in our PII arrangements when a firm is subject to a cyber attack. The LSB have now approved these amendments. We are currently updating our MTCs and we expect these to be in place for renewals by the end of 2021.
The MTCs require cover for losses to a client or other aggrieved third party caused by a cyber-attack that fall within scope of a claim for civil liability against a solicitor. This would include losses where money is stolen from your firm’s client account as a result of the cyber-attack and you do not replace the money.
Our MTCS do not require cover for business losses to the law firm (sometimes called first-party losses), except for certain costs of investigating and defending a claim. For example, loss of the firm's own money or the costs of rectifying any reputational issues. These losses can be covered by separate standalone cyber policy, but we do not mandate these.
Our MTCs do not prescribe the precise drafting of the insurance policies that firms must have in place, rather they set out minimum terms that must be met. Insurers can therefore draft their policies in any way that they wish, provided they maintain the cover required by the MTCs. Insurers can provide cover above the minimum terms and your broker can advise you on this.
No - under the agreement we have with insurers this is not allowed. However, an insurer may take into account the fact you have cyber insurance, for example to cover the costs of rectifying IT systems and managing data breaches, as a factor when assessing your overall risk management when deciding whether to offer you a policy and calculating the premium.