New Zealand Law Society

Navigation menu

Cyber liability insurance an option

13 October 2016 - By Angharad O'Flynn

In Connect Smart Week it's timely for law firms to review their risk management strategies and to ensure all employees increase their cyber security awareness.

Results of a Colmar Brunton survey released this week showed that just 17% of New Zealanders said they had received training or advice about cyber security at work.

Lawyers and law firms are often victims of email fraud and tactics these days are more advanced than the standard "Nigerian Prince" phishing e-mail scam. They are becoming harder to detect with more and more businesses succumbing to the ruse, but not reporting it for fear of the embarrassment they may face.

For lawyers, this could take the form of an email claiming they require legal assistance to complete or formalise a fairly straightforward process. The emails can be tailored to the recipient (spear phishing) with some fraudsters spending time researching their target beforehand if they're considered big enough (whaling).

"There have been a growing number of articles in the local media relating to elaborate-sounding activities like phishing, spear phishing or whaling," says Mark Jones, Head of Financial and Professional Risks at Crombie Lockwood.  "Unfortunately we are seeing our clients become victims of these types of event with increasing regularity."

"These 'attacks' usually take the form of an email from a client, customer or other trading partner requesting a payment and specifying bank account details. The email will often look genuine but the bank account details will be anything but," Mr Jones says.

He warns "If you follow the e-mail instructions, that will be the last you will see of your money."

Risk management is important because would-be thieves have access to large amounts of stolen and forged documents and will use the names and websites of genuine individuals and companies, leaving an internet trail that can seem legitimate.  

Educating all staff is important because emails don't always go to lawyers in the firm. Any department that deals with finances is at risk. Sometimes all it takes is a phone call to stop the scam in its tracks. If you know the person who 'sent' the email, ring them to confirm.

"Not just smaller firms are at risk. Even firms with large IT departments are at risk of ransomware events," Mark Jones says and "...smaller firms are less likely to have resources to deal with a cyber incident on their network."

Better staff training and awareness, strict protocols for handling emails with attachments, regular IT upgrades and security assessment are all ways of insuring against cyber crime. There is also, of course, the options offered by insurance companies.

Crombie Lockwood's Mark Jones compares cyber insurance policies to health insurance explaining, "Cyber policies are driven off a cyber event, and not necessarily, is that going to be a breach of professional duty."  

"If you got a virus today, you would go to the doctor.  The doctor would send you to a specialist who will treat you and, hopefully, you'd come out with no ill effect.  In the same way, if a law firm's computer network is infected with a virus a cyber insurance policy would provide access to and fund a team of specialists to treat the infection and get the network back in working order."

It should be noted that professional indemnity (PI) is driven off a breach of general duty and while a hack or email scam may not result in any breach of duty liability, it has the potential open the firm up to breach of privacy

It can be a confusing subject, and while the concept has been around for a while, insurance companies which didn't offer any cyber liability policies before are now fine-tuning their crime insurance packages by adding cyber liability policies to reflect these threats. It's fair to assume these sorts of policies and packages will evolve as technology advances and scams and cybercrime continues to become more complex.

Insurance industry members say that overall, a crime insurance package with a cyber liability policy can provide cover for these types of fraud, as well as other cyber exposures you may face which can result in opening a firm up to privacy breach litigation.

Small firms shouldn't fear breaking the bank either when it comes to covering themselves. Most companies offer crime insurance with cyber liability packages ranging for those considered low risk, with five employees, right up to high-risk firms, with hundreds of employees.

Last updated on the 25th October 2016