Cyber liability insurance

February 1st, 2019
x
Bookmark

By Anthony Pillay

As recently as October 2018, the International Bar Association (IBA) published ‘Cybersecurity Guidelines’ (available at www.ibanet.org). The duty to safeguard the confidentiality of client information is as old as the legal profession. In processing both the client information and our own business information, the vast majority of which is in electronic form, legal professionals who chose to avail themselves of the undisputed advantages of information and communications technologies are duty bound to understand the risks of doing so and to establish and maintain safeguards against the risks that they may be exposed to. Against this background the Law Society of South Africa (LSSA) has for many years published guidelines on Information Security and Protection of Personal Information that have been available on its website at www.lssa.org.za. The guidance provided by the LSSA is confirmed in the Cybersecurity Guidelines and every legal professional who processes information electronically should – if they are diligent in discharging their duties – read and become familiar with these guidelines.

Use of the guidelines must be recognised for what they are. They provide assistance but are not definitive checklists. We all process different information, we use different technologies and have different perceptions as to how information should be processed and the security safeguards appropriate to the processing. This demands that legal professionals must devote time to understanding cyber risks and what cybersecurity is appropriate. It must also be accepted that the obligation that rests on legal professionals, because of the sensitivity of the information that they process and their professional duty, is onerous.

It is only once risks are understood that decisions may be taken as to whether the risk –

  • is acceptable (the consequences may be insignificant or even if the consequences are significant the chances of the risk actually being realised are remote); and
  • if unacceptable, what are the appropriate control measures that must be established, implemented and consistently maintained to protect client and business information?

If a risk assessment is properly considered, it will become evident that some risks are extremely difficult to protect against, despite the best endeavours of parties seeking to do so, therefore, cyber liability insurance may need to be considered to mitigate the financial and reputational impact of this risk. As an integral part of the Cybersecurity Guidelines, in ch 2 dealing with organisational processes and under the heading ‘Consider cyber liability insurance’, the guideline points out:

  • ‘Even if law firms implement their best cybersecurity technologies and processes, firms will still have some level of risk exposure [residual risk].
  • Law firms should assess their risk exposure as outlined and take out adequate cyber-insurance as part of the firm’s overall cybersecurity risk mitigation strategy.’

The reality is that in South Africa (SA) cyber liability is expressly excluded from cover provided by the Attorneys Insurance Indemnity Fund NPC (AIIF). As a result, many legal professionals are not covered against cyber risks and, therefore, will be unable to recover from a serious breach resulting in significant financial exposure.

The risk to the legal profession in SA is exacerbated by our being the second most targeted country in the world with regard to cyberattacks. In the case of business e-mail compromises, the AIIF reported in August of 2018 that since the exclusion of cyber liability insurance with effect from 1 July 2016, the AIIF had been notified of over 110 cybercrime related claims with a total value of R 70 million.

In considering cyber liability insurance, it must be understood that – as with physical insurance – the insured has an obligation to establish and maintain appropriate security measures as a condition of the grant of insurance cover. In the same manner that unprotected physical premises will be either uninsurable, alternatively subject to extremely high premiums and excesses, so too will cyber insurers require that the insured fulfils certain minimum requirements. Where an insured has taken cognisance of the guidelines provided by the LSSA and the IBA it is highly likely that most of these boxes will be ticked.

As both cybersecurity and cyber liability insurance are a rapidly developing field, the LSSA Cybersecurity Helpdesk will, on a continuous basis, engage with information security professionals and cyber insurers in seeking to address issues which are specifically appropriate to the profession. In this regard, it is proposed that in the future a list of underwriters providing cyber liability insurance (listed by the South African Insurance Association) will be published on the LSSA website. This will provide contact information of underwriters or their accredited brokers, who legal professionals may approach in addressing this critical aspect of legal professional’s cybersecurity management (see www.lssa.org.za).

The Law Society of South Africa’s Cybersecurity Helpdesk is headed by Anthony Pillay. Mr Pillay is currently the Acting Executive Director of the Law Society of South Africa.

This article was first published in De Rebus in 2019 (JanFeb) DR 42.

X
De Rebus