On 24 November 2023, CTS confirmed it had been subject to a cyber-attack, resulting in disruption to a range of firms, including law firms, that used its services. Below, our cyber and law firm experts, Sam Jobling and Marianne McWilliams, explain how a cyber policy would have responded.
IT Service Providers (ITSP) and Managed Service Providers (MSP) are a likely target for cyber criminals as they can potentially act as an access route to many other organisation networks. Regardless of whether this is successful, once an ITSP / MSP is breached, the disruption caused to their clients can be widespread, as we have seen with CTS.
The CTS cyber-attack highlighted the fragility in today’s interconnected world, where most organisations need to outsource at least some of their IT capabilities to third parties. Unfortunately, these relationships pose a supply chain risk, which needs to be carefully assessed, managed and mitigated. It is essential that businesses understand their own risk exposures and undertake thorough due diligence of their suppliers, both prior to engagement and throughout the life of the contract.
How would a cyber insurance policy have responded to a CTS-like attack?
A cyber insurance policy can help to mitigate the financial and reputational consequences of a cyber-attack, as well as provide the specialist support needed to get a business back on its feet and reduce the overall impact. A policy would have covered the following.
- First party claims (policyholder’s own losses) and claims brought against the firm from a third party because of that cyber incident.
- Incident response support – this is a fundamental section of all cyber policies and provides policyholders with a 24-hour incident helpline and instant access to a panel of experts, including forensic IT security consultants, legal or regulatory advisors and public relations firms, who are on hand to support from the very beginning of an incident.
- Business interruption – a section within the policy is often included as standard and is designed to cover loss of profits and increased cost of working resulting from a cyber event that impacts the policyholder. Interruption at an outsourced IT provider’s business is usually covered too and it is possible to extend the policy to include other key suppliers if these are identified and agreed with the insurer in advance.
Why investing in a cyber policy makes good business sense
Conveyancers will remember the cyber-attack in November 2021, which cost Simplify, one of the UK’s largest conveyancing and property services businesses, a reported £7.3m. Further consequences of that event were also significant disruption to property chains and resultant delays in completions. The Law Gazette article ‘Cyber-attack cost conveyancing giant £7m - but the insurers paid up’ reported that Simplify “successfully claimed from its insurers in relation to lost business”, demonstrating that the levels of loss can be significant and insurance can play a part in helping an affected firm recover financially.
Law firms do have some elements of protection for client money under their professional indemnity insurance (PII) policy, however a cyber-attack can demand a more immediate and far-reaching approach. The claims service under a PII policy is not usually designed to offer the speed of response or access to specialists that a cyber breach might require. An event of this type often necessitates reports to the SRA or CLC, plus a report to the ICO, who all have strict reporting requirements. The availability of a dedicated 24-hour helpline under a cyber policy means that a policyholder can access immediate support, even if the loss is discovered over a weekend or during a public holiday.
Be proactive with your cyber protection
These difficult, publicised cyber-attacks act as a reminder to consider both the tangible risks and indirect costs, such as lost management time, reputational impact, etc. that a breach can cause to a business. Firms are encouraged to regularly assess their resilience and use available resources on trusted sites, such as a the National Cyber Security Centre Exercise in a Box - NCSC.GOV.UK to identify their vulnerabilities.
Ultimately, there are important benefits provided by cyber insurance policies and if firms are affected by events of this type, and have cyber insurance in place, then they should contact their insurer’s helplines at the earliest opportunity to access the support and cover afforded by their policies.