Cybercrime clause to provide greater clarity PII


A new clause specifying what coverage will be provided for cyber losses will be added to the minimum requirements of law firm professional liability (PII) insurance policies.

The addition, developed by the Solicitors Regulation Authority (SRA) in close collaboration with the legal profession and insurers, has been submitted to the Legal Services Board (LSB) for final approval. If agreed, it should be in place for any insurance renewals from early 2022.

The SRA has proposed the additional clause following the Prudential Regulation Authority and Lloyd’s of London asking UK insurers to ensure they focus on losses resulting from cybercrime in all policies, including those written for law firms.

The clause means that insurance policies will explicitly mention cybercrime coverage and specify losses that can be the subject of a potential claim. Coverage is for the protection of clients and third parties – losses incurred by the law firm (first party losses), with the exception of certain costs of investigating and defending a claim, are not covered. Companies can choose to take out a separate cyber policy for other risks.

The SRA organized a public consultation over the summer on the addition of the new clause, followed by further discussions with representatives of the insurers and the Law Society based on the comments received.

Paul Philip, Managing Director of the SRA, said

“Professional liability insurance offers key protection for the public. Law firms handle large amounts of client money and sensitive information, making them an attractive target for cybercriminals. The computer loss clause provides real clarity for consumers, law firms and insurers on the protection of customers and third parties in the event of a cyber attack, without modifying the amount of coverage provided for by the minimum conditions.

Insurers can continue to offer stand-alone cyber insurance policies, a move the SRA describes as “For the company to consider taking into account its own risk profile and the way it manages its activities”.

In the meantime, the SRA advises insurers not to change the terms of their PII policies (SRA). They also don’t expect insurers to use the proposals or any lack of specificity to imply that businesses are not covered for liability claims, or other losses under the conditions. minimum, which occur as a result of a cyberattack.

The SRA has published a summary of the responses to its consultation and its position on those responses, along with all responses received:

Leave A Reply

Your email address will not be published.