Select from any of the filters or enter a search term

What is your cover for cyber attacks?

What is your cover for cyber attacks?

By Legal Practitioners’ Liability Committee

Innovation Technology 


Only some security risks are covered by LPLC’s professional indemnity insurance.

Cyber security risks should be at the forefront of practitioners’ minds in this current environment. These risks come in many forms and only some of them are covered by LPLC’s professional indemnity insurance policy.

In essence, the policy covers any civil liability resulting from a claim made against a practitioner by a third party in connection with the firm’s legal practice and any defence costs associated with that claim.

Any claim that a practitioner makes on the policy must be considered on its merits and subject to all of the terms and conditions of the policy. Set out here are claims likely to fall within the scope of the insuring clause and those which are not.

Fake emails

The example described by Simon Kerr (p19) has happened to more than one firm in the last couple of years. See LPLC’s bulletin Cyber security breach – claims caused by fake email which lists the steps that firms and individual lawyers should take to avoid these claims.

Any money paid to a fraudster as a result of a fake email will be covered by the policy as the client will be seeking to recover the amount from the firm.

A new variation on this scenario is the fake email coming from the firm to the client instructing the client to deposit money in the fraudster’s account. To avoid these claims firms should have a policy of not emailing payment details and tell clients about that policy at the start of every matter. Alternatively, tell clients that if they receive an email from the firm containing payment details, they should call the firm to verify.

Ransomware attacks

Cyber attacks that shut down a firm’s computer system and interrupt the productivity of the firm resulting in lost income would not be covered by the policy.

However, if, the shut-down resulted in the firm missing a deadline on a client matter and the client suffered loss, any claim for compensation by the client would give rise to a civil liability indemnifiable under the policy.

If the firm paid the ransom to unlock its computer system, that payment would not be covered as it is not a civil liability. Similarly, any cost paid to obtain technical advice from IT specialists would not be covered.

Loss of confidential information

Where a cyber attack results in confidential client information being stolen there are different possible outcomes. For example, the use of the confidential information may result in the client suffering a loss. If the client claims that loss from the firm the policy will cover that claim. Or, the client may make a misconduct complaint to the Victorian Legal Services Board and Commissioner for allowing the confidential information to be disclosed. That complaint is not covered by the policy unless the complaint also includes an allegation of negligence and a claim for compensation. n

Contributed by the Legal Practitioners’ Liability Committee.

Views expressed on (Website) are not necessarily endorsed by the Law Institute of Victoria Ltd (LIV).

The information, including statements, opinions, documents and materials contained on the Website (Website Content) is for general information purposes only. The Website Content does not take into account your specific needs, objectives or circumstances, and it is not legal advice or services. Any reliance you place on the Website Content is at your own risk.

To the maximum extent permitted by law, the LIV excludes all liability for any loss or damage of any kind (including special, indirect or consequential loss and including loss of business profits) arising out of or in connection with the Website Content and the use or performance of the Website except to the extent that the loss or damage is directly caused by the LIV’s fraud or wilful misconduct.

Be the first to comment