*/
At present, the level of cyber risk in the UK is high. Cyber-attacks, and in particular ransomware attacks, are becoming increasingly common as a result of a combination of factors including increased state backing of threat actors leading to the scalability of illicit operations, lower barriers to entry (through initiatives such as ransomware as a service (RAAS)), and the legacy of hybrid working post-pandemic.
This, coupled with the increasing sophistication of attacks, frequency of their success and well-documented seven figure losses suffered by victims has led to many organisations asking ‘when’ not ‘if’ they will suffer a cyber incident. It has also resulted in previously responsive insurance policies such as PII now specifically excluding cyber risk. Accordingly, specialist cyber insurance has become an essential requirement for organisations of all sizes and across all sectors, including chambers.
The nature of the risk is constantly evolving along with the approach of the insurance market underwriting it, so what are the key considerations for your chambers when taking out or renewing cyber insurance in 2024?
As the level of cyber risk has increased, so have the minimum requirements imposed by insurers in order to qualify for cover. Most, if not all, cyber insurance providers in the market will now require a good level of technical and organisational security measures to be in place in order for your chambers to obtain cover. In particular, when applying for cyber cover, you will be required to complete a document answering a series of questions about your systems, data and security provisions (proposal form). Typically, an insurer will require your chambers to have in place the following core preventative technical and organisational measures ahead of time. If these measures are not in place then following a cyber-attack an insurer may increase the premium, not cover a loss that could have been prevented by these measures, or refuse to offer insurance cover at all:
It is important to ensure that you fully understand exactly what technical and organisational controls your chambers has in place, along with their precise scope when completing your proposal form so that you provide a fair presentation of risk to the prospective insurer. For example, it may be that you have MFA in place for some methods of access to your systems, but that it is not in place across all – perhaps, historically used access methods such as Outlook web access. Understanding your IT estate, the parameters of your cyber security and making sure this is accurately represented to the insurer will help ensure that cover is not refused at a later stage.
Different cyber policies will cover different types of cyber risk which might arise as a result of an incident. Some policies will respond to incidents which occur only as a result of a direct compromise of your own systems or personal data, others will, in addition to this, cover incidents suffered by third parties who process data on your behalf, such as managed service providers. Understanding how your chambers processes data and the risks it faces, including whether it outsources data processing to third parties is key to ascertaining the scope of the risk that you require cover for.
The heads of loss that are covered and excluded under a cyber policy should be carefully considered. Most major cyber incidents will result in significant consequential losses being incurred by an organisation in relation to, not only, responding to the incident and recovering in order to return to an operational state, but also claims brought by affected third parties (whether other businesses/stakeholders and/or affected individuals), in some instances, the imposition of financial penalties (insofar as insurable – generally speaking English common law won’t permit the insurability of a fine where premised on moral fault) and remedial costs to improve security controls going forward (go-forward remedial costs are often excluded from the scope of cover as this is classed as betterment). Given the wide scope of consequential losses, it is desirable to have cover in place for as many categories of first and third party loss as possible.
The unfortunate reality of suffering a cyber-attack, and in particular, falling victim to a ransomware incident, is that a significant cost which you may incur is the payment of a ransom to the threat actor in order to recover your encrypted and stolen data. In practice, these payments can range from £10,000s to £1,000,000s, but despite this they are often considered by many victims to still represent good value in the circumstances and the most effective form of mitigation. Consideration of the ethics and lawfulness of ransom payments and the position of regulators in relation to such payments are outside the scope of this article. However, in light of the prevalence of ransomware attacks and the frequency in which this scenario materialises, it would be prudent to consider whether a cyber policy excludes such an expense and if so, the potential cost exposure your chambers might face should it suffer a ransomware incident.
Comprehensive cyber cover may be offered to you by an insurer, but the retention to engage the policy may be too high to prove of real value to your chambers in practice. Given the frequency of cyber-attacks and the different ways in which incidents can manifest themselves there may be a number of small-to-mid size incidents where your response and recovery from the incident might still cost your chambers significantly, but you wish to engage your policy for a lower amount. Your chambers will need to evaluate the risk of a cyber-attack and its direct/indirect costs as against the likely cost of cyber cover with reference to the limit of indemnity which is usually in the aggregate and the applicable retentions which a qualified cyber broker will be able to assist Chambers with. Understanding your risk profile and likely cost exposure in different breach scenarios is key to determining the level of cover you require and the appropriate retention to have in place to make sure that you can use the policy in accordance with your needs.
At present, the level of cyber risk in the UK is high. Cyber-attacks, and in particular ransomware attacks, are becoming increasingly common as a result of a combination of factors including increased state backing of threat actors leading to the scalability of illicit operations, lower barriers to entry (through initiatives such as ransomware as a service (RAAS)), and the legacy of hybrid working post-pandemic.
This, coupled with the increasing sophistication of attacks, frequency of their success and well-documented seven figure losses suffered by victims has led to many organisations asking ‘when’ not ‘if’ they will suffer a cyber incident. It has also resulted in previously responsive insurance policies such as PII now specifically excluding cyber risk. Accordingly, specialist cyber insurance has become an essential requirement for organisations of all sizes and across all sectors, including chambers.
The nature of the risk is constantly evolving along with the approach of the insurance market underwriting it, so what are the key considerations for your chambers when taking out or renewing cyber insurance in 2024?
As the level of cyber risk has increased, so have the minimum requirements imposed by insurers in order to qualify for cover. Most, if not all, cyber insurance providers in the market will now require a good level of technical and organisational security measures to be in place in order for your chambers to obtain cover. In particular, when applying for cyber cover, you will be required to complete a document answering a series of questions about your systems, data and security provisions (proposal form). Typically, an insurer will require your chambers to have in place the following core preventative technical and organisational measures ahead of time. If these measures are not in place then following a cyber-attack an insurer may increase the premium, not cover a loss that could have been prevented by these measures, or refuse to offer insurance cover at all:
It is important to ensure that you fully understand exactly what technical and organisational controls your chambers has in place, along with their precise scope when completing your proposal form so that you provide a fair presentation of risk to the prospective insurer. For example, it may be that you have MFA in place for some methods of access to your systems, but that it is not in place across all – perhaps, historically used access methods such as Outlook web access. Understanding your IT estate, the parameters of your cyber security and making sure this is accurately represented to the insurer will help ensure that cover is not refused at a later stage.
Different cyber policies will cover different types of cyber risk which might arise as a result of an incident. Some policies will respond to incidents which occur only as a result of a direct compromise of your own systems or personal data, others will, in addition to this, cover incidents suffered by third parties who process data on your behalf, such as managed service providers. Understanding how your chambers processes data and the risks it faces, including whether it outsources data processing to third parties is key to ascertaining the scope of the risk that you require cover for.
The heads of loss that are covered and excluded under a cyber policy should be carefully considered. Most major cyber incidents will result in significant consequential losses being incurred by an organisation in relation to, not only, responding to the incident and recovering in order to return to an operational state, but also claims brought by affected third parties (whether other businesses/stakeholders and/or affected individuals), in some instances, the imposition of financial penalties (insofar as insurable – generally speaking English common law won’t permit the insurability of a fine where premised on moral fault) and remedial costs to improve security controls going forward (go-forward remedial costs are often excluded from the scope of cover as this is classed as betterment). Given the wide scope of consequential losses, it is desirable to have cover in place for as many categories of first and third party loss as possible.
The unfortunate reality of suffering a cyber-attack, and in particular, falling victim to a ransomware incident, is that a significant cost which you may incur is the payment of a ransom to the threat actor in order to recover your encrypted and stolen data. In practice, these payments can range from £10,000s to £1,000,000s, but despite this they are often considered by many victims to still represent good value in the circumstances and the most effective form of mitigation. Consideration of the ethics and lawfulness of ransom payments and the position of regulators in relation to such payments are outside the scope of this article. However, in light of the prevalence of ransomware attacks and the frequency in which this scenario materialises, it would be prudent to consider whether a cyber policy excludes such an expense and if so, the potential cost exposure your chambers might face should it suffer a ransomware incident.
Comprehensive cyber cover may be offered to you by an insurer, but the retention to engage the policy may be too high to prove of real value to your chambers in practice. Given the frequency of cyber-attacks and the different ways in which incidents can manifest themselves there may be a number of small-to-mid size incidents where your response and recovery from the incident might still cost your chambers significantly, but you wish to engage your policy for a lower amount. Your chambers will need to evaluate the risk of a cyber-attack and its direct/indirect costs as against the likely cost of cyber cover with reference to the limit of indemnity which is usually in the aggregate and the applicable retentions which a qualified cyber broker will be able to assist Chambers with. Understanding your risk profile and likely cost exposure in different breach scenarios is key to determining the level of cover you require and the appropriate retention to have in place to make sure that you can use the policy in accordance with your needs.
The Chair of the Bar sets out how the new government can restore the justice system
In the first of a new series, Louise Crush of Westgate Wealth considers the fundamental need for financial protection
Unlocking your aged debt to fund your tax in one easy step. By Philip N Bristow
Possibly, but many barristers are glad he did…
Mental health charity Mind BWW has received a £500 donation from drug, alcohol and DNA testing laboratory, AlphaBiolabs as part of its Giving Back campaign
The Institute of Neurotechnology & Law is thrilled to announce its inaugural essay competition
How to navigate open source evidence in an era of deepfakes. By Professor Yvonne McDermott Rees and Professor Alexa Koenig
Brie Stevens-Hoare KC and Lyndsey de Mestre KC take a look at the difficulties women encounter during the menopause, and offer some practical tips for individuals and chambers to make things easier
Sir Geoffrey Vos, Master of the Rolls and Head of Civil Justice since January 2021, is well known for his passion for access to justice and all things digital. Perhaps less widely known is the driven personality and wanderlust that lies behind this, as Anthony Inglese CB discovers
The Chair of the Bar sets out how the new government can restore the justice system
No-one should have to live in sub-standard accommodation, says Antony Hodari Solicitors. We are tackling the problem of bad housing with a two-pronged approach and act on behalf of tenants in both the civil and criminal courts