The need for cybercrime insurance

October 1st, 2022
x
Bookmark

Since 1 July 2016, the Legal Practitioners’ Indemnity Insurance Fund NPC (LPIIF) has excluded insurance cover for cybercrime related claims. This has raised many concerns from legal practitioners. In essence, the profession is concerned that public funds are insured for intentional misappropriation or theft and not insured for instances when theft arises due to the negligence associated with cybercrime.

The LPIIF provides a level of professional indemnity (PI) insurance cover to all practitioners in possession of a valid Fidelity Fund Certificate on the date that the cause of action arose. The LPIIF states that cybercrime is not a PI risk, but rather a business risk faced by all business enterprises and individuals – the risk is not unique to the practice of law or any other profession. The LPIIF has further stated that this is a business commercial risk that can be covered under various cyber risk and commercial crime products available on the market.

The current LPIIF Master Policy defines ‘cybercrime’ as:

‘Cybercrime: Any criminal or other offence that is facilitated by or involves the use of electronic communications or information systems, including any device or the Internet or any one or more of them. (The device may be the agent, the facilitator or the target of the crime or offence)’.

Under the exclusions, clause 16 of the LPIIF Master Policy states:

‘16. This policy does not cover any liability for compensation:

  1. c) which is insured or could more appropriately have been insured under any other valid and collectible insurance policy available to the Insured, covering a loss arising out of the normal course and conduct of the business, or where the risk has been guaranteed by a person or entity, either in general or in respect of a particular transaction, to the extent to which it is covered by the guarantee. This includes but is not limited to Misappropriation of Trust Funds, Personal Injury, Commercial and Cybercrime insurance policies;

  1. o) arising out of Cybercrime’.

On 21 September 2022, the Law Society of South Africa (LSSA) in collaboration with Marsh and iTOO held a webinar to provide insights into the emerging trends within the cyber environment. During the session, Cyber Specialist at Marsh Specialty, Justin Keevy, reported that since 2019 there has been a significant increase in ransomware (a type of malicious software designed to block access to a computer system until a sum of money is paid) attacks. Mr Keevy noted that a ransomware attacker only needs to be successful once, while legal practitioners need to be insured 100% of the time.

Speaking on Mimecast’s The State of Email Security 2022 survey, Product Head: Cyber at iTOO Special Risks, Ryan van de Coolwijk, noted that the survey stated that –

  • 75% of companies were impacted by ransomware attacks, which is up from 61%;
  • 96% of companies were targets of e-mail related phishing attempts;
  • shockingly, 23% of companies were providing ongoing cyber awareness training to their employees; and
  • 80% believe that their company is at risk to inadvertent data leaks by employees.

The next webinar on cyber risk pitfalls will take place on 13 October 2022, practitioners should keep a look out for the invitation. The LSSA has recommended a cybersecurity policy be developed in collaboration with Marsh to members, for more information on this product, e-mail LSSA@Marsh.com (see also www.derebus.org.za).

This article was first published in De Rebus in 2022 (Oct) DR 3.

X