18 November 2021, by Johan Shahar, Vice President, FINPRO – Malaysian Bar, Marsh Insurance Brokers (M) Sdn Bhd.
How does your Professional Indemnity Insurance (“PII”) protect these evolving risks?
Law firms, like all businesses, are operating in and relying upon technology in an increasingly hostile digital landscape. With the global Coronavirus Pandemic, reliance on technology has accelerated, and this also applies to the legal sector. Apart from managing traditional errors and omissions, lawyers must now take advantage of the obvious benefits from technology, but also be wary of cyber-threats and data breaches risks they face.
To illustrate these risks, let us consider the recent data leak which revealed the hidden assets and secret deals of some of the world’s richest and most powerful people, commonly referred to as the Pandora papers. This “leak” involved 12 million documents extracted from a number of different sources including law firms and financial advisers from around the world, which provided detailed insights into many wealthy and well-known people assets and private information but also how some avoided tax, hide their assets and laundered money. This comes several years after the similar Panama Papers leak, and is one of the biggest such data leaks to date.
What could this mean for lawyers? In short, if a law firm was the source (or potential source) for any of this information they face:
- At best, defending legal claims from clients or aggrieved parties;
- Costs arising from regulatory or legal investigations;
- Potentially significant expenses to engage IT specialist to unravel if and how data was extracted from their systems; and
- These issues may also involve cross border and multiple jurisdictions, adding to the complexity and potential costs.
What does your Mandatory PII cover in this situation?
The Mandatory PII Scheme as arranged by Marsh Insurance Brokers Sdn Bhd (“Marsh”), and underwritten by Pacific & Orient Insurance Co Berhad (“P&O”) protects members of the Malaysian Bar against civil liability arising from their legal practice. This includes claims made by clients against lawyers / firms for the loss the clients suffered arising from cyber-attacks or data breach on the lawyers / firms IT systems. Therefore, in summary, many (but not all) of the costs and consequences of these kind of event would be covered by your Mandatory PII (subject to the specifics of the policy language and the full facts of the actual event).
How about your Top-up PII policy? Does it “follow form”? Every Insurer says they do!
The Top-up policy limit arranged by Marsh (with P&O) has the dual benefit of providing a “one stop” seamless claims process, and importantly provides a “follow form” policy coverage. This means the coverage provided in the Mandatory PII Scheme is mirrored by the Top-up Insurer, and for the full available limit.
We highlight this issue because we have recently seen at least two alternative Top-up offerings in market that include cyber liability or similar clauses sub-limited within the Top-up offering. This has the potential effect of severely reducing policy cover in situations such as a Pandora papers or a wide range of claims that involve some kind of technology or computer system problem, if the event is captured by the sub-limit. Therefore, if you effect Top-up insurance which includes cyber or similar sub-limits or exclusion language, we strongly recommend you seek clarity from your provider on the potential implications.
Fortunately, in Malaysia, large professional indemnity claims against law firm are reasonably rare but cyber-attacks and unauthorized access to systems are only going to increase in frequency – the future is increasingly here today!
Do law firm In Malaysia need Cyber Insurance (in addition to your PII)?
The simple answer is that most of the legal liability exposures from the kind of example discussed in this paper would be protected by the scope of your current Mandatory PII. However, many of the costs arising from repairing, restoring or replacing computer systems damaged, corrupted or misused by a hacker, engaging a forensic/cyber security specialist to assess the damage, and what might have been lost, expenses in dealing with a cyber-extortion (eg your “own” or first party costs) may not be covered under your PII. This is where Cyber Insurance provides ready access to this support and will cover the costs of this support.
These costs can be significant especially when needed urgently and securing the right support can be vital in protecting a law firm from significant financial and reputational damage.
At Marsh we have arranged a tailored product available for all lawyers to readily access a cost-effective option for Cyber Insurance, that has been designed to complement your existing PII.
Please remember other market Top-up products may on the surface appear to be of good value and offer “full follow form” but they often still contain additional limitations or restrictions and some of these may result from features that in the surface appear to be beneficial.
Disclaimer
This document is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, tax, accounting or legal advice, for which you should consult your own professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. Marsh makes no representation or warranty concerning the application of policy wording or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. Although Marsh may provide advice and recommendations, all decisions regarding the amount, type or terms of coverage are the sole responsibility of the insurance purchaser, who must decide on the specific coverage that is appropriate to its particular circumstances and financial position. Insurance coverage is subject to the terms, conditions, and exclusions of the applicable individual policies. Policy terms, conditions, limits, and exclusions (if any) are subject to individual underwriting review and are subject to change.