The frightening spectre of cyber attack and cyber crime has never been more present than now.
It was a sobering day when the Prime Minister informed the nation that we are under relentless and sustained state sponsored cyber attack. It constitutes nothing less than a new type of economic warfare. Indeed it may ultimately be used as an element of conventional warfare itself.
Business ought to trembling in its boots and indeed many are, but some are still naive to the nature and extent of the risk, or fail to understand the full consequences of the damage and loss that can result.
The legal profession is in the same position as other industries, but there is more reason to be concerned as we hold trust monies for clients, hold data that is privileged and owe duties to courts and clients that heightens our risk.
The upside for clients of lawyers is that we all hold compulsory professional indemnity insurance against the risk of third party – a client’s – loss.
There is a limit to our compulsory cover however of $2m, so any loss above that is uninsured unless a legal practitioner has taken out top-up insurance, usually the preserve of larger firms. It is always wise for clients to look into what professional indemnity insurance a lawyer has.
But that does not cover a lawyer for any first party – their own – loss. This can occur in a myriad of ways including straight out cyber theft from bank accounts, paying ransoms for ransomware attacks, business interruption loss, retaining IT experts to restore systems and data, costs of mandatory reporting in certain circumstances, and reputational damage.
Many businesses will point to a general business insurance policy that they believe covers them for cyber hacking and cyber crime. The brutal reality is that traditional insurance policies usually do not.
I am critical of the insurance industry for failing to make clear to customers the extent of their uninsured exposure to cyber hacking and cyber crime. On the other it can be argued that insurance is only one of a suite of measures required to protect against cyber attack, which must include throughly educating members of an organisation, and strong ICT and systems protections.
Most claims you will discover are excluded under a general business policy, even though it will have a cyber or cyber crime provision. The most likely basis for exclusion is that unless you are using multi-factor authentication, encrypted email, and other requirements of the ‘essential eight’ your claim will be excluded. Additionally the scope of cover will likely be pretty limited.
The ‘essential eight’ are a list of the absolute minimum standards to protect against cyber attack released by the Signals Directorate, Australian Cyber Security Centre, and can be found here https://www.cyber.gov.au/acsc/view-all-content/essential-eight/essential-eight-explained
So the bottom line for all businesses including law firms is that there is a dawning realisation that this is for all intents and purpose an uninsured risk. Extrapolating further, it is an uninsured risk that has a limitless liability. In fact it may bring your business to its knees and cause its insolvency, in a single attack.
Sensible people as we all are means we then ring an insurance broker and ask about a better stand alone cyber security and cyber crime policy. Technically speaking, it’s a combination of both cyber liability insurance and crime insurance that is required to cover both the data and monetary impacts arising from cyber attack.
All I can say is good luck with that. These policies are very, very difficult to get and very, very expensive if you get them. They will still contain exclusions, and the higher the financial cover the more expensive it becomes until you will realise it is uneconomic. Underwriters are not stupid. They realise the peril of these policies and the ever increasing nature of this risk and they exist to make – not lose – money.
What are we to do as a profession? Indeed, how is business going to respond to what is not a new threat, but one which increases in its potency every day?
When the legal profession has been faced with such existential crises in the past we have acted as a collective. Our compulsory third party professional indemnity insurance cover is one case in point.
In that example, whist it may be comforting to a client that they have a level of protection, it doesn’t help them much if by reason of cyber attack their privileged data is stolen or if their lawyer bankrupted as a result of cyber crime losses.
What’s worse, it could occur in the form of a mass attack that takes us all down.
That gives rise to a consideration of our ethical duties. If most of us are effectively uninsured in circumstances of a cyber attack, how are we to displace our duties to the courts and to our clients?
One of the great advantages of first party insurance cover in these instances is real time expert help to respond to something such as a ransomware attack, that may result in an insurer ‘cutting its losses’ and paying the attacker to release your ICT system. It is akin to kidnap cover taken out for that South American holiday jaunt.
If we cannot as individuals obtain this type of cover one by one, firm by firm, we must consider purchasing it as a collective. Maybe it is an opt-in model, but that is not how our third party cover works, and requires a high level of awareness and cooperation.
It may be time to consider compulsory first party cover, obliging firms to comply with the ‘essential eight’ to bring themselves within the scope of cover or find themselves paying a premium for nothing. It is not a disadvantage to a firm which already has first party insurance cover, because the limit of their compulsory first party cover would become the excess for their optional policy, saving premium on the latter.
By forcing our collective hand in this area there is the clear added benefit of consumer protection. The legal profession of South Australia could stand out versus other states as being the most secure and compliant in the area of cyber security, thereby gaining an obvious competitive advantage.
Best of all we can all sleep at night, secure in the knowledge that our policy will respond to cover not only for our clients but ourselves.
Financial mismanagement aside, there are few risks in business that are virtually uninsurable and have the capacity to undo you completely, but cyber attack is one of them. We should be afraid, very afraid, but we can also do something about it if we band together.
This is not merely an issue for the legal profession. Industry associations and business groups need to cooperate to protect ourselves and our customers.
Put simply, it is a risk so great that it is impossible to go it alone. The collective must respond.
Morry Bailes is senior business advisor to Tindall Gask Bentley Lawyers, past president of the Law Council of Australia and a past president of the Law Society of South Australia.
Want to comment?
Send us an email, making it clear which story you’re commenting on and including your full name (required for publication) and phone number (only for verification purposes). Please put “Reader views” in the subject.
We’ll publish the best comments in a regular “Reader Views” post. Your comments can be brief, or we can accept up to 350 words, or thereabouts.
Local News Matters
Media diversity is under threat in Australia – nowhere more so than in South Australia. The state needs more than one voice to guide it forward and you can help with a donation of any size to InDaily. Your contribution goes directly to helping our journalists uncover the facts. Please click below to help InDaily continue to uncover the facts.