At present, the level of cyber risk in the UK is high. Cyber-attacks, and in particular ransomware attacks, are becoming increasingly common as a result of a combination of factors including increased state backing of threat actors leading to the scalability of illicit operations, lower barriers to entry (through initiatives such as ransomware as a service (RAAS)), and the legacy of hybrid working post-pandemic.

This, coupled with the increasing sophistication of attacks, frequency of their success and well-documented seven figure losses suffered by victims has led to many organisations asking ‘when’ not ‘if’ they will suffer a cyber incident. It has also resulted in previously responsive insurance policies such as PII now specifically excluding cyber risk. Accordingly, specialist cyber insurance has become an essential requirement for organisations of all sizes and across all sectors, including chambers.

The nature of the risk is constantly evolving along with the approach of the insurance market underwriting it, so what are the key considerations for your chambers when taking out or renewing cyber insurance in 2024?

What is our insurability?

As the level of cyber risk has increased, so have the minimum requirements imposed by insurers in order to qualify for cover. Most, if not all, cyber insurance providers in the market will now require a good level of technical and organisational security measures to be in place in order for your chambers to obtain cover. In particular, when applying for cyber cover, you will be required to complete a document answering a series of questions about your systems, data and security provisions (proposal form). Typically, an insurer will require your chambers to have in place the following core preventative technical and organisational measures ahead of time. If these measures are not in place then following a cyber-attack an insurer may increase the premium, not cover a loss that could have been prevented by these measures, or refuse to offer insurance cover at all:

  • multi-factor authentication (more commonly referred to as ‘MFA’) – to be in place for all access to your network/systems including remote network access through a VPN and personal devices when connecting with the network;
  • data security/incident response policies – comprehensive privacy and data security policies setting out how personal data is to be stored and handled securely (including on personal devices), and how you will respond to an incident in order to mitigate the impacts;
  • risk identification and eradication – regular penetration tests/network scanning to be conducted against your network and systems to identify vulnerabilities and remediate them;
  • cyber training requirements for all system users – chambers’ employees and barristers in receipt of regular cybersecurity awareness training on topics such as phishing, along with receiving guidance on data handling best practice;
  • regular secure back-ups regularly backing up essential data will enable your chambers to return to an operational state more quickly and significantly reduce costs and losses in the wake of a breach.

Fair presentation of risk

It is important to ensure that you fully understand exactly what technical and organisational controls your chambers has in place, along with their precise scope when completing your proposal form so that you provide a fair presentation of risk to the prospective insurer. For example, it may be that you have MFA in place for some methods of access to your systems, but that it is not in place across all – perhaps, historically used access methods such as Outlook web access. Understanding your IT estate, the parameters of your cyber security and making sure this is accurately represented to the insurer will help ensure that cover is not refused at a later stage.

What risks does the policy cover?

Different cyber policies will cover different types of cyber risk which might arise as a result of an incident. Some policies will respond to incidents which occur only as a result of a direct compromise of your own systems or personal data, others will, in addition to this, cover incidents suffered by third parties who process data on your behalf, such as managed service providers. Understanding how your chambers processes data and the risks it faces, including whether it outsources data processing to third parties is key to ascertaining the scope of the risk that you require cover for.

Which losses does the policy cover?

The heads of loss that are covered and excluded under a cyber policy should be carefully considered. Most major cyber incidents will result in significant consequential losses being incurred by an organisation in relation to, not only, responding to the incident and recovering in order to return to an operational state, but also claims brought by affected third parties (whether other businesses/stakeholders and/or affected individuals), in some instances, the imposition of financial penalties (insofar as insurable – generally speaking English common law won’t permit the insurability of a fine where premised on moral fault) and remedial costs to improve security controls going forward (go-forward remedial costs are often excluded from the scope of cover as this is classed as betterment). Given the wide scope of consequential losses, it is desirable to have cover in place for as many categories of first and third party loss as possible.

The unfortunate reality of suffering a cyber-attack, and in particular, falling victim to a ransomware incident, is that a significant cost which you may incur is the payment of a ransom to the threat actor in order to recover your encrypted and stolen data. In practice, these payments can range from £10,000s to £1,000,000s, but despite this they are often considered by many victims to still represent good value in the circumstances and the most effective form of mitigation. Consideration of the ethics and lawfulness of ransom payments and the position of regulators in relation to such payments are outside the scope of this article. However, in light of the prevalence of ransomware attacks and the frequency in which this scenario materialises, it would be prudent to consider whether a cyber policy excludes such an expense and if so, the potential cost exposure your chambers might face should it suffer a ransomware incident.

Does the cover limit and retention meet chambers’ needs?

Comprehensive cyber cover may be offered to you by an insurer, but the retention to engage the policy may be too high to prove of real value to your chambers in practice. Given the frequency of cyber-attacks and the different ways in which incidents can manifest themselves there may be a number of small-to-mid size incidents where your response and recovery from the incident might still cost your chambers significantly, but you wish to engage your policy for a lower amount. Your chambers will need to evaluate the risk of a cyber-attack and its direct/indirect costs as against the likely cost of cyber cover with reference to the limit of indemnity which is usually in the aggregate and the applicable retentions which a qualified cyber broker will be able to assist Chambers with. Understanding your risk profile and likely cost exposure in different breach scenarios is key to determining the level of cover you require and the appropriate retention to have in place to make sure that you can use the policy in accordance with your needs.