Cyber and Crime Insurance

Cybercrime is the fastest growing crime in the world but not all of the consequences of a cyber-attack are covered by standard insurance policies.

The policies available in the UK insurance market vary substantially between insurers.

Cybercrime is a risk that all legal firms are faced with and the spate of recent scams, specifically targeting the profession (commonly known as the "Friday afternoon frauds") has only further highlighted the exposures. Your current professional indemnity insurance policy may provide cover for client claims (including possible losses to the client account) but a separate policy tailored to provide the bespoke cover needed in this area, could help you to protect the claims record under your firms PII.

Before you can properly assess what exposures you may face, there should be an understanding of what covers are available in this area.

CRIME INSURANCE

Crime policies are written on a ‘First Party’ basis. They aim to offer protection to the policyholder against the loss of money, securities and other property following a criminal act - such as employee theft, robbery, forgery, extortion and computer fraud.

CYBER INSURANCE

Cyber policies tend to cater for both First Party and Third Party risks, such as: -

First Party Risks

• Damage to your hardware and/or software as a result of a virus or hacker attack
• Cover for the costs you incur in connection with the loss of or damage to data
• System downtime – costs incurred as a result of your system being down (loss of revenue for instance)
• Costs associated with having your identity stolen

Third Party Risks

• Failure to anticipate or prevent the transmission of a virus to a third party
• Misuse, disclosure or theft of confidential/3rd party information stored on your network or system
• Infringement on a 3rd parties Intellectual Property rights

SOCIAL ENGINEERING

One of the key areas of risk that we are all faced with is Social Engineering.

Social Engineering (which includes terminology such as “Phishing” and “Baiting”) is a technique being used by fraudsters in order to influence a person to carry out any number of actions - with the end goal of compromising network security. The techniques adopted, often by phone or by email, allow the fraudsters to convince the person targeted to divulge sensitive/additional information, or to perform some other task on the fraudster’s behalf.

Because of the potential use of email in this type of scam, there is a common misconception that these exposures will automatically be covered under a Cyber policy. In most instances this risk would not be covered by a Cyber policy.

So what cover do you need?

Firstly, give some thought to the following. This will help you to begin to understand if you/your business is exposed and what cover could be available in order to meet your needs.

- Are accounting procedures consistent throughout your business?

- Is there any one individual in the business, who conducts the following from start to finish, without referral to others: -

• Sign cheques or authorise payments
• Issue fund transfer instructions
• Amend fund transfer procedures
• Open new bank accounts
• Invest in / in custody of securities and valuables

- Are payment instructions ever given by phone/fax?

- Are all changes to supplier/client bank details confirmed by telephone – using only the contact number previously supplied by the supplier/client?

- Are changes to be made to supplier bank details always sent in a written advice to the supplier, and only implemented once the supplier has had the opportunity to verify the change?

- Is the first payment to a new supplier bank account always capped and confirmation of receipt from the supplier always obtained before any further payments are made?

- Are unusual payment instructions followed up by call back to check authenticity?

- Are bank statements independently reconciled by persons not authorised to deposit or withdraw funds, issue funds transfer instructions or dispatch funds to suppliers/clients?

- Are supporting documents always validated before authorising payments?

It is imperative that you understand what exposures you are faced with and what additional cover could be considered - over and above what your Professional Indemnity insurance will provide – either via a Cyber policy or a Crime policy.

Limits of cover will range from £100k to over £5m and premiums will start from as little as £250. For more information call your usual PIB contact or phone 0117 9269937.