What is your cover for cyber attacks

Cyber security risks should be at the forefront of practitioners’ minds in this current environment. These risks come in many forms and only some of them are covered by LPLC’s professional indemnity insurance policy.

In essence, the policy covers any civil liability resulting from a claim made against a practitioner by a third party in connection with the firm’s legal practice and any defence costs associated with that claim.

Any claim that a practitioner makes on the policy must be considered on its merits and subject to all of the terms and conditions of the policy. Set out here are claims likely to fall within the scope of the insuring clause and those which are not.

The example described by Simon Kerr (p19) has happened to more than one firm in the last couple of years. See LPLC’s bulletin Cyber security breach – claims caused by fake email which lists the steps that firms and individual lawyers should take to avoid these claims.

Any money paid to a fraudster as a result of a fake email will be covered by the policy as the client will be seeking to recover the amount from the firm.

A new variation on this scenario is the fake email coming from the firm to the client instructing the client to deposit money in the fraudster’s account. To avoid these claims firms should have a policy of not emailing payment details and tell clients about that policy at the start of every matter. Alternatively, tell clients that if they receive an email from the firm containing payment details, they should call the firm to verify.

Cyber attacks that shut down a firm’s computer system and interrupt the productivity of the firm resulting in lost income would not be covered by the policy. However, if, the shut-down resulted in the firm missing a deadline on a client matter and the client suffered loss, any claim for compensation by the client would give rise to a civil liability indemnifiable under the policy.

If the firm paid the ransom to unlock its computer system, that payment would not be covered as it is not a civil liability. Similarly, any cost paid to obtain technical advice from IT specialists would not be covered.

Where a cyber attack results in confidential client information being stolen there are different possible outcomes. For example, the use of the confidential information may result in the client suffering a loss. If the client claims that loss from the firm the policy will cover that claim. Or, the client may make a misconduct complaint to the Victorian Legal Services Board and Commissioner for allowing the confidential information to be disclosed. That complaint is not covered by the policy unless the complaint also includes an allegation of negligence and a claim for compensation.