Cybercrime and professional indemnity insurance

Professional Indemnity Insurance 08/07/2016

The practice note ‘Responsibility for deficits arising from cybercrime’, as published in the June 2015 Gazette, states that any deficit arising in client moneys held by a practice is the personal responsibility of the partner/principal of the practice, whether caused by a solicitor or staff member, or as a victim of cybercrime. 

As partners/principals of firms have a personal liability for a deficit of client moneys caused by cybercrime, even where they are the victim, in the event of loss of client moneys due to cybercrime, firms should immediately notify their insurer.

Third-party cover for civil liability claims in relation to cybercrime already exists under the minimum terms and conditions of PII cover set out by current regulations. The minimum terms and conditions provide a broad scope of coverage, as insurers are required to provide cover to firms for civil liability claims arising out of the provision of legal services. A solicitor who holds client moneys in a client account on behalf of a client is providing a ‘legal service’ to a client within the meaning of that term, as defined by the minimum terms and conditions. A ‘claim’ is defined as including a request or demand for civil compensation or civil damages of any nature. A claim made by a client against a firm in circumstance where the client moneys have been lost due to cybercrime is a request for either civil compensation or civil damages.

It should be noted that cover under the minimum terms and conditions is third-party cover for civil liability claims, not first-party cover. As such, cover will need to be triggered by a client or clients making a claim against the firm or by a High Court order made on application by the Society requiring the firm to replace client moneys lost due to cybercrime. Policies may have a mitigation clause under which a firm could replace client moneys lost due to cybercrime immediately, so as to mitigate loss for the insurer, which could trigger the insurance.

Expert advice should be sought on mechanisms for making a claim in the event of loss of client moneys due to cybercrime, including a review of the self-insured excess to check if the firm’s policy provides for multiple claims to be treated as one claim for the purpose of self-insured excess.

Speciality top-up insurance products are available on the market that provide more comprehensive cover for cybercrime, which may include first-party cover and cover for claims by employees, malicious or unauthorised use of the firm’s own network to damage or misuse or destroy client data, use of the firm’s network to cause a denial of service attack, customer care and reputational expenses, loss of business income, damage to digital assets, cyber-extortion, and reputational damage. Care should be taken not to double insure, as any top-up cover should not be the same as cover for third-party claims already in place under the minimum terms and conditions.

Firms are encouraged to contact their broker regarding their existing cover for cybercrime, including review of any mitigation clauses and self-insured excess, and if the firm is interested in availing of top-up cover.