Taking the cyber challenge by Janine Parker, Paragon LawSelect
This article was also featured as a column in the June 2016 issue of LPM. To read the issue in full, download LPM.
The introduction of the General Data Protection Regulation (GDPR) is fast approaching. The requirements to comply with this new legislation are both vast and complex. What are the implications for the legal profession? Are firms aware of the extent of their obligations? How can practices protect themselves from the cacophony of chaos that exists in the real and virtual world?
What we do know is that from 25 May 2018 all companies will have to comply with these rules or face the fines and/or penalties.
In previous articles I have considered phishing, vishing, spear phishing and whaling – all words that we are seeing more and more in the press and public domain. Recent high-profile hacks continue to appear in the daily newspapers. The financial consequences of these breaches are often significant, and that isn’t taking into account the reputational damage that can occur. SME law firms would be wrong to assume that no one is interested in their data, let alone the money they have access to.
Feedback from interaction with our current portfolio of clients would suggest that at least half have been victims of an attack of some description. Whether it be theft of client monies or holding IT systems to ransom, firms have been seriously affected by these attacks. Thankfully many of the systems and procedures that firms implement mean many fraud or hacking attempts are unsuccessful. But with the new legislation, and techniques becoming more sophisticated, firms will have to continue to adapt and develop their defences.
It isn’t surprising, therefore, that roughly 95% of the audience at the recent LPM conference at the Royal College of Surgeons said cyber-risk was on their management meeting agendas. Many firms were unsure of where to start with the mountain of obligations that are coming into existence.
So what protection is available, and how is the insurance industry reacting to the challenge of the cyber-threat? Over the last two years the number of insurers writing cyber insurance has doubled. As with law firms, the risks associated with cyber for insurers (both their own and their insureds) are evolving at a rapid rate. Some see this as an opportunity for a relatively new market in the insurance sector, whie other insurers see this as too great a challenge to underwrite accurately.
The good news is that enough insurers want to fully understand the exposures and assist clients wherever possible, demonstrated by new entrants to the market. Much of the intellectual property around wordings and policies comes from the USA, where the market is more mature and experienced. Insurers are taking that knowledge and translating it for the UK market – specifically for firms.
Some basic products already exist and more are about to be released to the market. Although your professional indemnity insurance concerns the protection of your clients, cyber-risk policies are concerned with first-party protection; protecting you, your employees and your practice. These products exist to help you meet your obligations under the GDPR. There is also access to breach response teams if you suffer an attack, as well as legal expertise and PR assistance should you require it.
There are many challenges around cyber-risk, but the insurance industry is certainly here to help.