The Legal Practitioners’ Indemnity Insurance Fund NPC (LPIIF) – previously named the Attorneys Insurance Indemnity Fund NPC – has since 1 July 2016 excluded insurance cover for cybercrime related claims. This has raised many concerns from legal practitioners. In essence, the profession is concerned that public funds are insured for intentional misappropriation or theft and not insured for instances when theft arises due to the negligence associated with cybercrime.
The LPIIF provides a level of professional indemnity insurance cover to all practitioners in possession of a valid Fidelity Fund Certificate on the date that the cause of action arose. According to the LPIIF, cybercrime is not a professional indemnity risk, but rather a business risk faced by all business enterprises and individuals – the risk is not unique to the practice of law or any other profession. The LPIIF has further stated that this is a business commercial risk that can be covered under various cyber risk and commercial crime products available on the market.
The current LPIIF Master Policy defines cybercrime as:
‘Cybercrime: Any criminal or other offence that is facilitated by or involves the use of electronic communications or information systems, including any device or the Internet or any one or more of them. (The device may be the agent, the facilitator or the target of the crime or offence)’.
Under the exclusions, clause 16, the LPIIF Master Policy states:
‘16. This policy does not cover any liability for compensation:
…
c) which is insured or could more appropriately have been insured under any other valid and collectible insurance available to the Insured, covering a loss arising out of the normal course and conduct of the business or where the risk has been guaranteed by a person or entity, either in general or in respect of a particular transaction, to the extent to which it is covered by the guarantee. This includes but is not limited to Misappropriation of Trust Funds, Personal Injury, Commercial and Cybercrime insurance policies;
…
o) arising out of Cybercrime’.
Answering a question posed by the editor as to why the LPIIF decided to exclude cover for cybercrime, the LPIIF stated:
‘Clause 16(o) of the LPIIF policy excludes claims arising from cybercrime and also excludes risks (such as cybercrime) that are more appropriately insured under another policy (clause 16(c)). Cybercrime is thus not a risk that falls within the ambit of the cover intended under the LPIIF professional indemnity policy.
The LPIIF has warned the profession of the risks associated with cybercrime since 2010. Since 2015, the profession and the [provincial] law societies were warned of the impending amendments to the LPIIF policy to exclude cybercrime from the Master Policy – the exclusion only came into effect on 1 July 2016. The draft policy including the cybercrime exclusion was published in February 2016 informing the profession that the amended policy would be implemented from 1 July 2019.
Since the cybercrime exclusion came into effect on 1 July 2016, 128 such claims have been notified. The total value of the excluded cybercrime claims is R 80 947 146,87. This figure excludes the investigation and defence costs that would have been expended in respect of these claims, as well as any interest that would have been payable.
The LPIIF is funded by way of single annual [payment] received from the Legal Practitioners’ Fidelity Fund. The current premium is R 147 472 806,96. Had the cybercrime claims been covered, 55% of the annual premium would have been used to pay claims arising out of just this one risk. This would pose a serious risk to the long-term sustainability of the company.
The Solvency Assessment and Management (SAM) regulatory regime for insurance companies (which also applies to the LPIIF) prescribes that insurance companies must proactively manage their risks. The exclusion of cybercrime was part of the LPIIF’s risk management process and a measure aimed at protecting the long-term sustainability of the company and ensuring that the company meets the prescribed minimum solvency requirements for insurers.
The practitioners who have fallen victim to cybercrime have failed to comply with the Rules with regards to the implementation of internal controls and the verification of banking details before making payments as prescribed by Rule 54.13 in particular.’
The legal profession exists in a world where digital communication, the use of electronic gadgets and the Internet in business makes life easier. All this then brings all the risks associated with conducting business electronically. The Law Society of South Africa (LSSA) has set up a Cybersecurity Helpdesk with the view of assisting legal practitioners on matters related to cybersecurity and cyber liability insurance. In the near future, a list of underwriters providing cyber liability insurance (listed by the South African Insurance Association) will be published on the LSSA website. This will provide contact information of underwriters or their accredited brokers, who legal professionals may approach in addressing this critical aspect of legal professional’s cybersecurity management (see www.lssa.org.za).
See also:
This article was first published in De Rebus in 2019 (April) DR 3.
