The importance of cybersecurity and professional indemnity insurance (PII) was in the spotlight again recently as it was revealed that hackers stole £85m from UK law firms over an 18-month period after finding out that many firms move money through their accounts on a Friday.
One firm lost £173,000 when scammers managed to pass themselves off as employees of a bank. The majority of the funds could not be recovered and the firm’s insurer was forced to cover the cost. Crimes such as this are affecting the PII market in a big way as insurers ask firms to improve their security to minimise their risk.
Law firms may also be subject to further changes as the Solicitors Regulation Authority (SRA) considers changing the rules around run-off cover, the insurance required to cover a firm’s liabilities for six years after it ceases trading.
Q: How are insurers reacting to the increased threat of criminals using cyber attacks and bank scams to steal money from law firms?
Sarah Clover, head of global PI team, Clyde & Co: Professional indemnity (PI) insurers are aware of this issue and are actively engaging with insurers and publishing guidance on the topic to help firms minimise risk. Insurers are also starting to discuss cyber protection renewal and the
benefits of specific cyber cover.
Although PI cover will respond to some of the incidents and third-party losses that a firm might experience, such as the need to reinstate missing monies to client accounts pursuant to the Solicitors Accounts Rules 1998, there may be other risks such as first-party losses and investigation costs, for which separate cyber cover is desirable. Cyber policies are developing and may provide much more than simply insurance; for example, ready access to forensic experts, PR consultants and lawyers specialising in breach response with whom insurers already have a relationship.
That said, it is important that firms don’t view a comprehensive insurance programme as a substitute for proper risk management in this area.
“Firms should not view a comprehensive insurance programme as a substitute for proper risk management”
Steve Holland, senior vice president, Lockton Companies: Insurers are very concerned with the tsunami of attacks that have hit solicitors up and down the country. Firms big and small have fallen victim to the relentless bombardment of emails and malware.
What insurers thought they were originally insuring when they started underwriting this class of business is now far beyond the negligent acts, errors and omissions of a solicitor carrying out legal work. Insurers usually have the luxury of assessing the defensibility of a claim and working with their insured firms to defend or settle a claim on the best possible terms.
A cyber fraud where client monies are taken often results in an immediate payment by insurers to ensure the firm is able to fulfil its obligations under the Solicitor Account Rules. The minimum terms and conditions (MTC) require insurers to ‘suck up’ the losses or exit the market. We saw this with Elite, which cited unsustainable rates and fraud on client accounts as the reasons for its market departure at the beginning of this year.
Insurers are asking searching questions in order to assess those firms at higher risk of attacks and to establish what controls are in place to combat internal and external frauds and scams.
Clare Hughes-Williams, partner, DAC Beachcroft: Insurers are acutely aware of the risks posed by cyber criminals to their solicitor insurers both in terms of losses from client accounts and the more complex threat posed by cyber criminals stealing solicitors’ data.
Insurers are reacting by asking more targeted questions in their proposal forms to assess their exposure as well as increasingly focusing their attention on recoveries. They are also sharing information anonymously with the SRA on their claims experiences, to raise awareness and assist the regulator in providing a focus on training.
Developing standalone cyber policies that respond to first-party costs is also an important strategy.
Frank Maher, partner, Legal Risk LLP: At present, the compulsory professional indemnity insurance required by the SRA MTC covers loss of client money in most cases. The continued stream of attacks may lead insurers to press for change to remove this from cover.
In the meantime, we are expecting insurers to seek more detailed information from firms on what they have done to prevent these losses.
Firms’ own losses are not covered under the professional indemnity insurance, but many firms take out additional insurance to cover this. One major insurer has dramatically reduced cover for this type of loss due to claims experience, though cover is still available in the market.
Q: Over an 18-month period hackers stole £85m from several law firms after realising they move money through their accounts on a Friday. How can firms reduce the risks associated with these scams?
Clover: As the question identifies, so-called ‘Friday afternoon frauds’ are an ongoing problem. Firms need to keep abreast of the different and changing methods used by fraudsters.
For example, to guard against scams carried out by fraudsters who telephone lawyers or accounts teams impersonating clients or banks, firms should train all staff to be aware of the importance of never giving any access or security information to anyone over the telephone no matter how genuine they sound, not least since banks will never ask for PINs or passwords over the phone. Those receiving a call apparently from a bank should call back using the number for the firm’s usual contact at the bank.
Features such as an apparent client providing a change of bank account details partway through a transaction should also be regarded as immediate red flags, and all staff should be educated on these sorts of warning signs.
Firms should also consider prohibiting clients or others from talking directly to members of the accounts team.
Hughes-Williams: Straightforward steps that solicitors can take to reduce the risk of financial and data loss through cybercrime include improving training and staff awareness and enhancing data protection measures.
Solicitors should have a plan in place and know how they are going to react in the event of a breach. Solicitors should practise their breach response procedures regularly since the way in which they react in the first few days after a breach will be an important factor in determining how the various regulators will deal with them.
Paul Castellani, insurance partner, RPC: The scams have tended to be twofold. One scam involves ‘socially engineered’ telephone calls where the firm reveals a confidential password to give the fraudster access to the accounts. Another is email interception, where a fraudulent email instruction is given.
The first of these can be met by the normal risk management steps we all use on our personal accounts: never disclose your details to any third party no matter who they say they are, and always call the bank’s fraud line from a different telephone (keeping the fraudster on the other line).
As to the second, firms should always speak to their client to confirm instructions to transfer money. Never rely on an unencrypted email. If firms have encrypted or secure portals through which clients can communicate, then that will also help.
“The critical issue is ensuring raised staff awareness across the firm – including the managing partner and the receptionists. Everyone is at risk”
Smaller firms can reduce their exposure by having a dedicated non-networked terminal to process payments and payment requests as well as having regular client account reconciliations.
Maher: All firms should be following the Government’s ‘10 Steps To Cyber Security’ as a minimum – many will be doing rather more. While there are measures that need to be taken from an IT perspective, the critical issue is ensuring raised staff awareness across the firm – and that means everybody, from the managing partner to the receptionists. Everyone is at risk.
Firms also need to make their clients aware, and should be looking at how they communicate with clients over payment details, verifying any changes.
Q: The SRA has recently launched a consultation on removing run-off cover when a firm switches from the SRA to another approved regulator. What would be the benefit of removing it?
Ross Risby, partner, DAC Beachcroft: It is thought by some commentators – including the SRA – that the requirement of the Participating Insurers Agreement for insurers to provide run-off cover when a law firm switches regulator is an unnecessary and restrictive barrier to a free and liberal regulatory market, since without an SRA waiver the law firm will be forced to pay a run-off premium at a cost usually equivalent to about three years of the annual premium. The price of switching regulators can therefore be prohibitive for smaller firms. Removing that additional cost should allow law firms more flexibility to choose the most appropriate regulator for their practices and their clients.
Holland: The main benefit is to avoid triggering the run-off provisions in the MTC where the cost of run-off is typically in the range of 225 per cent to 300 per cent of the last annual premium. This cost has been seen as a barrier to firms switching to the Council of Licensed Conveyancers (CLC). Provided the firm appreciates the differences between the PII arrangements and understands what it is giving up when changing regulators,a firm regulated by the CLC could potentially make savings.
“Some practitioners cannot afford to cease practising – they cannot afford the run-off premium. So there are ‘zombie firms’, which carry on longer than they should”
Castellani: The SRA is concerned that some practitioners cannot afford to cease practising as they cannot afford the run-off premium. So there are ‘zombie firms’ which carry on longer than they should. If a firm moves from the SRA to a new regulator, then insurance policies might clash or double. So the firm will have a run-off policy and then will buy a new policy for the newly regulated entity. That new policy will be a ‘claims made’ one (all professional indemnity policies are), so it will also likely cover acts and omissions of the now-ceased SRA regulated entity that have not previously been notified to the SRA. Hence the firm is paying for two policies, which cover in part the same thing.
Q: What are the negative implications of removing run-off cover when switching regulators? Are there any suitable solutions to these issues?
Risby: The obvious concern – and one raised by The Law Society – is that other regulators may impose lower PII obligations on law firms than the SRA does, leading to reduced levels of consumer protection for clients of switching law firms. For example, CLC requires LLPs and alternative business structures to carry only £2m of cover in the aggregate while the SRA demands £3m per claim. The Legal Services Board’s (LSB) intervention to impose equivalent cover on all regulators might smack of illiberal meddling. It’s difficult to see an obvious solution.
A partial answer might be to require firms to explain clearly to potential clients the level of cover they hold and simply have confidence in consumers’ ability to choose whom to instruct.
Clover: There is also a risk of ‘regulator shopping’ with detrimental effects on protection. A firm looking to close in the near future and wishing to avoid the cost of purchasing SRA MTC-compliant run-off cover upon doing so, could switch for its final year of practice to a regulator with less onerous and costly requirements in relation to post-closure run-off cover.
For example, the CLC has recently applied for Legal Services Board (LSB) approval of a new insurance regime under which insurers will provide six years of run-off cover for no additional premium at the time of closure. The limit of indemnity under this run-off cover will be £2m in aggregate (not, as under the SRA MTC, for “any one claim”) and inclusive of defence costs (another point of difference from the SRA MTC, which requires defence costs to be in addition). This would arguably provide significantly weaker and cheaper protection than had the firm remained regulated by the SRA until closure.
Maher: The firm’s new regulator might have lower requirements for insurance, meaning that when a claim relating to the pre-transfer practice comes in, the expected cover is no longer in place. From the perspective of the firm and its staff (who could be personally liable), that could have dramatic consequences. The firm might have limited its liability to clients to £3m when it was regulated by the SRA, but under a new regulator might only have £2m cover, or even £500,000 in the case of the Bar Standards Board.
There could also be practical issues for a CLC-regulated firm obtaining cover for legacy risks relating to other areas of practice such as personal injury. These are issues for which they would need proper broking advice, and in some cases they may find they cannot access suitable cover under a scheme, needing a tailored solution which might carry unexpected cost.
Holland: Firms that take advantage of the removal of the run-off requirement and switch to the CLC should do so with their eyes wide open. The cost of PII under the CLC PII arrangements may be less now than as a SRA-regulated firm, but the cost will inevitably increase.
The CLC proposal to provide free run-off cover at the point of closure will have to be paid for somewhere. The burden to pay for run-off will switch from the firms closing down to the firms continuing to practise.
An alternative way to fund these costs and ensure that all firms contribute towards the cost of run-off over the duration that they are in practice, would be to add a levy to all of CLC’s
Any solicitors’ practice that carried out work outside the regulation of the CLC, such as activities beyond conveyancing and probate, would still need to arrange run-off cover or maintain a business as a solicitor with MTC cover in place.