*/
At present, the level of cyber risk in the UK is high. Cyber-attacks, and in particular ransomware attacks, are becoming increasingly common as a result of a combination of factors including increased state backing of threat actors leading to the scalability of illicit operations, lower barriers to entry (through initiatives such as ransomware as a service (RAAS)), and the legacy of hybrid working post-pandemic.
This, coupled with the increasing sophistication of attacks, frequency of their success and well-documented seven figure losses suffered by victims has led to many organisations asking ‘when’ not ‘if’ they will suffer a cyber incident. It has also resulted in previously responsive insurance policies such as PII now specifically excluding cyber risk. Accordingly, specialist cyber insurance has become an essential requirement for organisations of all sizes and across all sectors, including chambers.
The nature of the risk is constantly evolving along with the approach of the insurance market underwriting it, so what are the key considerations for your chambers when taking out or renewing cyber insurance in 2024?
As the level of cyber risk has increased, so have the minimum requirements imposed by insurers in order to qualify for cover. Most, if not all, cyber insurance providers in the market will now require a good level of technical and organisational security measures to be in place in order for your chambers to obtain cover. In particular, when applying for cyber cover, you will be required to complete a document answering a series of questions about your systems, data and security provisions (proposal form). Typically, an insurer will require your chambers to have in place the following core preventative technical and organisational measures ahead of time. If these measures are not in place then following a cyber-attack an insurer may increase the premium, not cover a loss that could have been prevented by these measures, or refuse to offer insurance cover at all:
It is important to ensure that you fully understand exactly what technical and organisational controls your chambers has in place, along with their precise scope when completing your proposal form so that you provide a fair presentation of risk to the prospective insurer. For example, it may be that you have MFA in place for some methods of access to your systems, but that it is not in place across all – perhaps, historically used access methods such as Outlook web access. Understanding your IT estate, the parameters of your cyber security and making sure this is accurately represented to the insurer will help ensure that cover is not refused at a later stage.
Different cyber policies will cover different types of cyber risk which might arise as a result of an incident. Some policies will respond to incidents which occur only as a result of a direct compromise of your own systems or personal data, others will, in addition to this, cover incidents suffered by third parties who process data on your behalf, such as managed service providers. Understanding how your chambers processes data and the risks it faces, including whether it outsources data processing to third parties is key to ascertaining the scope of the risk that you require cover for.
The heads of loss that are covered and excluded under a cyber policy should be carefully considered. Most major cyber incidents will result in significant consequential losses being incurred by an organisation in relation to, not only, responding to the incident and recovering in order to return to an operational state, but also claims brought by affected third parties (whether other businesses/stakeholders and/or affected individuals), in some instances, the imposition of financial penalties (insofar as insurable – generally speaking English common law won’t permit the insurability of a fine where premised on moral fault) and remedial costs to improve security controls going forward (go-forward remedial costs are often excluded from the scope of cover as this is classed as betterment). Given the wide scope of consequential losses, it is desirable to have cover in place for as many categories of first and third party loss as possible.
The unfortunate reality of suffering a cyber-attack, and in particular, falling victim to a ransomware incident, is that a significant cost which you may incur is the payment of a ransom to the threat actor in order to recover your encrypted and stolen data. In practice, these payments can range from £10,000s to £1,000,000s, but despite this they are often considered by many victims to still represent good value in the circumstances and the most effective form of mitigation. Consideration of the ethics and lawfulness of ransom payments and the position of regulators in relation to such payments are outside the scope of this article. However, in light of the prevalence of ransomware attacks and the frequency in which this scenario materialises, it would be prudent to consider whether a cyber policy excludes such an expense and if so, the potential cost exposure your chambers might face should it suffer a ransomware incident.
Comprehensive cyber cover may be offered to you by an insurer, but the retention to engage the policy may be too high to prove of real value to your chambers in practice. Given the frequency of cyber-attacks and the different ways in which incidents can manifest themselves there may be a number of small-to-mid size incidents where your response and recovery from the incident might still cost your chambers significantly, but you wish to engage your policy for a lower amount. Your chambers will need to evaluate the risk of a cyber-attack and its direct/indirect costs as against the likely cost of cyber cover with reference to the limit of indemnity which is usually in the aggregate and the applicable retentions which a qualified cyber broker will be able to assist Chambers with. Understanding your risk profile and likely cost exposure in different breach scenarios is key to determining the level of cover you require and the appropriate retention to have in place to make sure that you can use the policy in accordance with your needs.
At present, the level of cyber risk in the UK is high. Cyber-attacks, and in particular ransomware attacks, are becoming increasingly common as a result of a combination of factors including increased state backing of threat actors leading to the scalability of illicit operations, lower barriers to entry (through initiatives such as ransomware as a service (RAAS)), and the legacy of hybrid working post-pandemic.
This, coupled with the increasing sophistication of attacks, frequency of their success and well-documented seven figure losses suffered by victims has led to many organisations asking ‘when’ not ‘if’ they will suffer a cyber incident. It has also resulted in previously responsive insurance policies such as PII now specifically excluding cyber risk. Accordingly, specialist cyber insurance has become an essential requirement for organisations of all sizes and across all sectors, including chambers.
The nature of the risk is constantly evolving along with the approach of the insurance market underwriting it, so what are the key considerations for your chambers when taking out or renewing cyber insurance in 2024?
As the level of cyber risk has increased, so have the minimum requirements imposed by insurers in order to qualify for cover. Most, if not all, cyber insurance providers in the market will now require a good level of technical and organisational security measures to be in place in order for your chambers to obtain cover. In particular, when applying for cyber cover, you will be required to complete a document answering a series of questions about your systems, data and security provisions (proposal form). Typically, an insurer will require your chambers to have in place the following core preventative technical and organisational measures ahead of time. If these measures are not in place then following a cyber-attack an insurer may increase the premium, not cover a loss that could have been prevented by these measures, or refuse to offer insurance cover at all:
It is important to ensure that you fully understand exactly what technical and organisational controls your chambers has in place, along with their precise scope when completing your proposal form so that you provide a fair presentation of risk to the prospective insurer. For example, it may be that you have MFA in place for some methods of access to your systems, but that it is not in place across all – perhaps, historically used access methods such as Outlook web access. Understanding your IT estate, the parameters of your cyber security and making sure this is accurately represented to the insurer will help ensure that cover is not refused at a later stage.
Different cyber policies will cover different types of cyber risk which might arise as a result of an incident. Some policies will respond to incidents which occur only as a result of a direct compromise of your own systems or personal data, others will, in addition to this, cover incidents suffered by third parties who process data on your behalf, such as managed service providers. Understanding how your chambers processes data and the risks it faces, including whether it outsources data processing to third parties is key to ascertaining the scope of the risk that you require cover for.
The heads of loss that are covered and excluded under a cyber policy should be carefully considered. Most major cyber incidents will result in significant consequential losses being incurred by an organisation in relation to, not only, responding to the incident and recovering in order to return to an operational state, but also claims brought by affected third parties (whether other businesses/stakeholders and/or affected individuals), in some instances, the imposition of financial penalties (insofar as insurable – generally speaking English common law won’t permit the insurability of a fine where premised on moral fault) and remedial costs to improve security controls going forward (go-forward remedial costs are often excluded from the scope of cover as this is classed as betterment). Given the wide scope of consequential losses, it is desirable to have cover in place for as many categories of first and third party loss as possible.
The unfortunate reality of suffering a cyber-attack, and in particular, falling victim to a ransomware incident, is that a significant cost which you may incur is the payment of a ransom to the threat actor in order to recover your encrypted and stolen data. In practice, these payments can range from £10,000s to £1,000,000s, but despite this they are often considered by many victims to still represent good value in the circumstances and the most effective form of mitigation. Consideration of the ethics and lawfulness of ransom payments and the position of regulators in relation to such payments are outside the scope of this article. However, in light of the prevalence of ransomware attacks and the frequency in which this scenario materialises, it would be prudent to consider whether a cyber policy excludes such an expense and if so, the potential cost exposure your chambers might face should it suffer a ransomware incident.
Comprehensive cyber cover may be offered to you by an insurer, but the retention to engage the policy may be too high to prove of real value to your chambers in practice. Given the frequency of cyber-attacks and the different ways in which incidents can manifest themselves there may be a number of small-to-mid size incidents where your response and recovery from the incident might still cost your chambers significantly, but you wish to engage your policy for a lower amount. Your chambers will need to evaluate the risk of a cyber-attack and its direct/indirect costs as against the likely cost of cyber cover with reference to the limit of indemnity which is usually in the aggregate and the applicable retentions which a qualified cyber broker will be able to assist Chambers with. Understanding your risk profile and likely cost exposure in different breach scenarios is key to determining the level of cover you require and the appropriate retention to have in place to make sure that you can use the policy in accordance with your needs.
The beginning of the legal year offers the opportunity for a renewed commitment to justice and the rule of law both at home and abroad
By Louise Crush of Westgate Wealth Management sets out the key steps to your dream property
A centre of excellence for youth justice, the Youth Justice Legal Centre provides specialist training, an advice line and a membership programme
By Kem Kemal of Henry Dannell
By Ashley Friday of AlphaBiolabs
Providing bespoke mortgage and protection solutions for barristers
Joanna Hardy-Susskind speaks to those walking away from the criminal Bar
Tom Cosgrove KC looks at the government’s radical planning reform and the opportunities and challenges ahead for practitioners
From a traumatic formative education to exceptional criminal silk – Laurie-Anne Power KC talks about her path to the Bar, pursuit of equality and speaking out against discrimination (not just during Black History Month)
James Onalaja concludes his two-part opinion series
Yasmin Ilhan explains the Law Commission’s proposals for a quicker, easier and more effective contempt of court regime