Solicitors’ PII, D&O and Cyber…can you notify more than one?

As a law firm you will already have a Professional Indemnity Insurance (PII) policy in place. However, if the need arises where you need to make a notification to your professional indemnity insurers, would you consider whether any other policy purchased by the firm may respond in a different way?

With exposures increasing, some law firms are choosing to expand insurance coverage by adding supplementary cover for different areas of risk, for example Directors’ & Officers’ (D&O) and/or Cyber cover.

When two or more policies are held, there might be uncertainty when determining which one to notify should an issue arise. Most law firms will be familiar with the cover available from their PII policy which generally assists with claims of negligence from a third party only, usually a client. But could there be cover elsewhere for the firm’s own costs and expenses?

PII

PII protects against claims for loss or damage made by clients or third parties as a result of the impact of negligent services provided, or negligent advice offered. Cover for defence costs relating to a claim or circumstance notified under the policy is also available under the PI policy (and not subject to a policy excess), although this does not extend as far as defence costs for disciplinary proceedings before the Solicitors’ Disciplinary Tribunal.

D&O

D&O insurance provides cover for a company and its management and is designed to protect against claims arising out of decisions and actions made within the scope of everyday business. D&O insurance usually provides cover for defence costs incurred by board members, managers and employees in defending claims made by shareholders or third parties for alleged wrongdoing unrelated to the provision of a professional service. D&O insurance also covers monetary damages, settlements and awards resulting from such claims. Cover for regulatory investigation costs is also provided but will be subject to the relevant policy excess and on most occasions, subject to a Professional Services Exclusion which may have a “carve back” for anyone acting in a supervisory role. Please be aware that policy wordings differ so it is always important to understand the exact scope of the cover you have.

Cyber

Cyber insurance can cover financial losses incurred by a business following a data breach or cyber event such as ransomware, social engineering or a phishing attack. Again the scope of cover differs from policy to policy so always check what you are purchasing. The cover is usually for first party loss so it is important to understand where your cyber coverage ends and PII begins and if there is any overlap. Where there is any potential for claims or losses suffered by a third party following a cyber event, the matter should also be referred to your professional indemnity insurer.

Let’s look at some examples to understand how notifications could overlap…

Insured A

Insured A suffered an internal security breach of a compromised email account resulting in client funds for a conveyance completion being sent to a fraudster.

After application of the relevant policy excesses, the Insured firm were provided with the following cover:

• Cyber Insurers covered first party losses being costs associated with identifying the extent of the breach including IT, data protection and cyber forensic investigation; account lock down and password changes and containment; reporting to and liaising with fee earners and staff, ICO GDPR data breach report and correspondence; SRA fraud report; Action Fraud mandate report; and liaising with the Insured firm’s bank fraud investigation/financial fraud portal.
• Professional Indemnity Insurers reimbursed the Insured for the deficit in client account which resulted from the cyber incident.

Insured B

Insured B experienced a data breach when clients were sent personal data of other clients as a result of human error. After notifying the ICO and the firm’s Cyber Insurers, the Insured was also advised by the Howden claims team to make a notification to their PII policy.

This type of breach triggered cover from the following:

• Cyber Insurers covered Public Relations costs (with Insurers prior approval and at panel rates); assistance with notifying regulators; third party call centre costs (also with prior approval) to assist in answering telephone calls from data subjects regarding the breach; and costs to monitor the dark web for leaked data.

• Professional Indemnity Insurers agreed to assist where required after various Letters of Claim were received from some affected clients claiming third party loss. The PII policy would respond to third party loss including awards by the Legal Ombudsman (with the exception of any reimbursement of fees paid to an insured by a client).

Insured C

Insured C was the subject of an investigation by the SRA that included a suspected breach of the SRA Accounts Rules that was not related to a claim or circumstance already notified to their professional indemnity policy.

The following cover was relevant:

• The Insured had made a notification to their D&O Insurers seeking cover under the policy to assist with Investigation Costs for an Insured Person undertaking a supervisory role.

• The Insured was also advised to also notify their PII policy as an obligation on a firm to remedy a breach of the SRA Accounts Rules is defined as a claim under that policy and, subject to policy excess, the Professional Indemnity Insurers would usually be required to indemnify the firm for the monies required to make good the client account and meet related defence costs.

It is worth noting that most policies will usually include an exclusion for any claim for which an Insured is entitled to indemnity under any other insurance policy. However, if more than one type of insurance has been triggered we would expect any relevant Insurers to review and discuss all issues notified so it can be determined which policy takes priority and/or responds separately to any others.

Consideration should always be given to any relevant policy excess and the requirement to seek prior approval from Insurers for any costs you would expect to be covered by the policy.

It is important to be aware of the extent of cover available to your firm and if you become aware of a claim or circumstance, you should always consider whether cover may be provided under multiple policies. Please do not hesitate to contact Howden should you wish to discuss your insurance arrangements and our specialist solicitors’ claims team are always happy to discuss matters with you should you require guidance in relation to notification and coverage.

Authored by:

Amanda Murray Senior Claims Executive, Howden Professional Indemnity Get in touch