*/
At present, the level of cyber risk in the UK is high. Cyber-attacks, and in particular ransomware attacks, are becoming increasingly common as a result of a combination of factors including increased state backing of threat actors leading to the scalability of illicit operations, lower barriers to entry (through initiatives such as ransomware as a service (RAAS)), and the legacy of hybrid working post-pandemic.
This, coupled with the increasing sophistication of attacks, frequency of their success and well-documented seven figure losses suffered by victims has led to many organisations asking ‘when’ not ‘if’ they will suffer a cyber incident. It has also resulted in previously responsive insurance policies such as PII now specifically excluding cyber risk. Accordingly, specialist cyber insurance has become an essential requirement for organisations of all sizes and across all sectors, including chambers.
The nature of the risk is constantly evolving along with the approach of the insurance market underwriting it, so what are the key considerations for your chambers when taking out or renewing cyber insurance in 2024?
As the level of cyber risk has increased, so have the minimum requirements imposed by insurers in order to qualify for cover. Most, if not all, cyber insurance providers in the market will now require a good level of technical and organisational security measures to be in place in order for your chambers to obtain cover. In particular, when applying for cyber cover, you will be required to complete a document answering a series of questions about your systems, data and security provisions (proposal form). Typically, an insurer will require your chambers to have in place the following core preventative technical and organisational measures ahead of time. If these measures are not in place then following a cyber-attack an insurer may increase the premium, not cover a loss that could have been prevented by these measures, or refuse to offer insurance cover at all:
It is important to ensure that you fully understand exactly what technical and organisational controls your chambers has in place, along with their precise scope when completing your proposal form so that you provide a fair presentation of risk to the prospective insurer. For example, it may be that you have MFA in place for some methods of access to your systems, but that it is not in place across all – perhaps, historically used access methods such as Outlook web access. Understanding your IT estate, the parameters of your cyber security and making sure this is accurately represented to the insurer will help ensure that cover is not refused at a later stage.
Different cyber policies will cover different types of cyber risk which might arise as a result of an incident. Some policies will respond to incidents which occur only as a result of a direct compromise of your own systems or personal data, others will, in addition to this, cover incidents suffered by third parties who process data on your behalf, such as managed service providers. Understanding how your chambers processes data and the risks it faces, including whether it outsources data processing to third parties is key to ascertaining the scope of the risk that you require cover for.
The heads of loss that are covered and excluded under a cyber policy should be carefully considered. Most major cyber incidents will result in significant consequential losses being incurred by an organisation in relation to, not only, responding to the incident and recovering in order to return to an operational state, but also claims brought by affected third parties (whether other businesses/stakeholders and/or affected individuals), in some instances, the imposition of financial penalties (insofar as insurable – generally speaking English common law won’t permit the insurability of a fine where premised on moral fault) and remedial costs to improve security controls going forward (go-forward remedial costs are often excluded from the scope of cover as this is classed as betterment). Given the wide scope of consequential losses, it is desirable to have cover in place for as many categories of first and third party loss as possible.
The unfortunate reality of suffering a cyber-attack, and in particular, falling victim to a ransomware incident, is that a significant cost which you may incur is the payment of a ransom to the threat actor in order to recover your encrypted and stolen data. In practice, these payments can range from £10,000s to £1,000,000s, but despite this they are often considered by many victims to still represent good value in the circumstances and the most effective form of mitigation. Consideration of the ethics and lawfulness of ransom payments and the position of regulators in relation to such payments are outside the scope of this article. However, in light of the prevalence of ransomware attacks and the frequency in which this scenario materialises, it would be prudent to consider whether a cyber policy excludes such an expense and if so, the potential cost exposure your chambers might face should it suffer a ransomware incident.
Comprehensive cyber cover may be offered to you by an insurer, but the retention to engage the policy may be too high to prove of real value to your chambers in practice. Given the frequency of cyber-attacks and the different ways in which incidents can manifest themselves there may be a number of small-to-mid size incidents where your response and recovery from the incident might still cost your chambers significantly, but you wish to engage your policy for a lower amount. Your chambers will need to evaluate the risk of a cyber-attack and its direct/indirect costs as against the likely cost of cyber cover with reference to the limit of indemnity which is usually in the aggregate and the applicable retentions which a qualified cyber broker will be able to assist Chambers with. Understanding your risk profile and likely cost exposure in different breach scenarios is key to determining the level of cover you require and the appropriate retention to have in place to make sure that you can use the policy in accordance with your needs.
At present, the level of cyber risk in the UK is high. Cyber-attacks, and in particular ransomware attacks, are becoming increasingly common as a result of a combination of factors including increased state backing of threat actors leading to the scalability of illicit operations, lower barriers to entry (through initiatives such as ransomware as a service (RAAS)), and the legacy of hybrid working post-pandemic.
This, coupled with the increasing sophistication of attacks, frequency of their success and well-documented seven figure losses suffered by victims has led to many organisations asking ‘when’ not ‘if’ they will suffer a cyber incident. It has also resulted in previously responsive insurance policies such as PII now specifically excluding cyber risk. Accordingly, specialist cyber insurance has become an essential requirement for organisations of all sizes and across all sectors, including chambers.
The nature of the risk is constantly evolving along with the approach of the insurance market underwriting it, so what are the key considerations for your chambers when taking out or renewing cyber insurance in 2024?
As the level of cyber risk has increased, so have the minimum requirements imposed by insurers in order to qualify for cover. Most, if not all, cyber insurance providers in the market will now require a good level of technical and organisational security measures to be in place in order for your chambers to obtain cover. In particular, when applying for cyber cover, you will be required to complete a document answering a series of questions about your systems, data and security provisions (proposal form). Typically, an insurer will require your chambers to have in place the following core preventative technical and organisational measures ahead of time. If these measures are not in place then following a cyber-attack an insurer may increase the premium, not cover a loss that could have been prevented by these measures, or refuse to offer insurance cover at all:
It is important to ensure that you fully understand exactly what technical and organisational controls your chambers has in place, along with their precise scope when completing your proposal form so that you provide a fair presentation of risk to the prospective insurer. For example, it may be that you have MFA in place for some methods of access to your systems, but that it is not in place across all – perhaps, historically used access methods such as Outlook web access. Understanding your IT estate, the parameters of your cyber security and making sure this is accurately represented to the insurer will help ensure that cover is not refused at a later stage.
Different cyber policies will cover different types of cyber risk which might arise as a result of an incident. Some policies will respond to incidents which occur only as a result of a direct compromise of your own systems or personal data, others will, in addition to this, cover incidents suffered by third parties who process data on your behalf, such as managed service providers. Understanding how your chambers processes data and the risks it faces, including whether it outsources data processing to third parties is key to ascertaining the scope of the risk that you require cover for.
The heads of loss that are covered and excluded under a cyber policy should be carefully considered. Most major cyber incidents will result in significant consequential losses being incurred by an organisation in relation to, not only, responding to the incident and recovering in order to return to an operational state, but also claims brought by affected third parties (whether other businesses/stakeholders and/or affected individuals), in some instances, the imposition of financial penalties (insofar as insurable – generally speaking English common law won’t permit the insurability of a fine where premised on moral fault) and remedial costs to improve security controls going forward (go-forward remedial costs are often excluded from the scope of cover as this is classed as betterment). Given the wide scope of consequential losses, it is desirable to have cover in place for as many categories of first and third party loss as possible.
The unfortunate reality of suffering a cyber-attack, and in particular, falling victim to a ransomware incident, is that a significant cost which you may incur is the payment of a ransom to the threat actor in order to recover your encrypted and stolen data. In practice, these payments can range from £10,000s to £1,000,000s, but despite this they are often considered by many victims to still represent good value in the circumstances and the most effective form of mitigation. Consideration of the ethics and lawfulness of ransom payments and the position of regulators in relation to such payments are outside the scope of this article. However, in light of the prevalence of ransomware attacks and the frequency in which this scenario materialises, it would be prudent to consider whether a cyber policy excludes such an expense and if so, the potential cost exposure your chambers might face should it suffer a ransomware incident.
Comprehensive cyber cover may be offered to you by an insurer, but the retention to engage the policy may be too high to prove of real value to your chambers in practice. Given the frequency of cyber-attacks and the different ways in which incidents can manifest themselves there may be a number of small-to-mid size incidents where your response and recovery from the incident might still cost your chambers significantly, but you wish to engage your policy for a lower amount. Your chambers will need to evaluate the risk of a cyber-attack and its direct/indirect costs as against the likely cost of cyber cover with reference to the limit of indemnity which is usually in the aggregate and the applicable retentions which a qualified cyber broker will be able to assist Chambers with. Understanding your risk profile and likely cost exposure in different breach scenarios is key to determining the level of cover you require and the appropriate retention to have in place to make sure that you can use the policy in accordance with your needs.
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
Giovanni D’Avola explores the issue of over-citation of unreported cases and the ‘added value’ elements of a law report
Louise Crush explores the key points and opportunities for tax efficiency
Westgate Wealth Management Ltd is a Partner Practice of FTSE 100 company St. James’s Place – one of the top UK Wealth Management firms. We offer a holistic service of distinct quality, integrity, and excellence with the aim to build a professional and valuable relationship with our clients, helping to provide them with security now, prosperity in the future and the highest standard of service in all of our dealings.
Is now the time to review your financial position, having reached a career milestone? asks Louise Crush
If you were to host a dinner party with 10 guests, and you asked them to explain what financial planning is and how it differs to financial advice, you’d receive 10 different answers. The variety of answers highlights the ongoing need to clarify and promote the value of financial planning.
Most of us like to think we would risk our career in order to meet our ethical obligations, so why have so many lawyers failed to hold the line? asks Flora Page
If your current practice environment is bringing you down, seek a new one. However daunting the change, it will be worth it, says Anon Barrister
Creating advocacy opportunities for juniors is now the expectation but not always easy to put into effect. Tom Mitcheson KC distils developing best practice from the Patents Court initiative already bearing fruit
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
National courts are now running the bulk of the world’s war crimes cases and corporate prosecutions are part of this growing trend, reports Chris Stephen