Recent announcements by the SRA seem to carry quite a “back to the future” feel on the closely related topics of cyber based property fraud (www.sra.org.uk/sra/news/press/pii-cybercrime-consultation/) and anti-money laundering checking. In their Anti-Money Laundering topic guide from April 2020 the regulator has commented that keeping the profession free of money laundering activity was one of the main ways of disrupting serious crime and would therefore be “in everyone’s interests”. An equally pressing concern for many firms is showing that they have adequate controls in place in this regard so as to satisfy the increasingly pointed line of questions that they are likely now to receive from their indemnity insurers on renewals.
It seems clear that the risks of fraud and money laundering activity remain amongst the most pressing of compliance concerns for many law firms, especially in a fast-hardening insurance market with the balance of the supply of and demand for PII now very firmly tilted onto the insurer’s side of the balance. This is a topic that itself was covered in the SRA’s Annual AML Report from its Reporting Officer dated October 2020 where money laundering linked to vendor fraud was referred to as “a key theme” of the suspicious activity reports that it had found necessary to make to the National Crime Agency.[1]
Against this troublesome backdrop the SRA has recently launched a consultation on the possible need for all firms to have in place “affirmative cyber cover” as part of the minimum terms and conditions (MTC). In this regard the SRA has reported that cybercrime accounted for some £2.5m of reported losses for the profession for the first half of 2020 alone, and so accounts for a major expense for the insurers initially and so for the profession then as well, as now seems to be the case. It is felt that all firms should be required to have in place appropriate cover in relation to cyber-attacks and is claimed to reflect the views of the Prudential Regulation Authority and Lloyds of London as a result of the risks of cyber-attacks having increased of late. The objective is stated to be to “provide absolute clarity” for all concerned rather than to alter the current scope of protection. The recommendations are made at a time of an observable increase in such attacks on firms and reports of the apparent confusion as to the true extent of cover by many firms.
Law firms, of course, represent attractive targets for would-be attackers. Most law firms handle larger sums of money than would be usual for business concerns of a similar size but without, in most cases, the sophisticated cyber risk controls functions that would be expected to be in place for other business concerns exposed to similar risk levels. With this backdrop in mind the SRA has announced a consultation process with replies invited by the 24th May.
The relatively short consultation note explains that the SRA is proposing to add a clause to the MTC to explain what is and is not covered in relation to the losses that might arise from this area of risk to law firms. The objective is stated to be to “provide absolute clarity for law firms, insurers, and consumers without altering the scope of consumer protection provided by our PII arrangements”. The main changes suggested are that the broad “civil liability” basis for losses within the current scheme arising from “private legal practice” should be supplemented by an additional clause to make more specific that the consumer protection provided by the MTC will apply equally if such losses arise from a cyber-attack event.
One rather obvious concern that many firms will have, and those that find themselves in current renewal discussions in particular, is whether this will result in further increases in fee levels that are already under pressure. On this the SRA express the hope that this will not be the case as losses from cyber-attacks have always been taken to form part of an MTC compliant policy in any event. This is subject to the very important caveat, however, that the proposed change will not cover the firm’s own losses in any such event. By way of an example of this, if losses were to arise from a fine from the Information Commissioner’s Office relating to a cyber-attack, supplemental cover would have to have been obtained to meet it. There would therefore be an exclusion in the MTC setting out that the firm’s own losses might be excluded from cover, but that any such exclusion should not limit or exclude claims made against the firm by clients or others. It is therefore further explained that if a cyber-attack compromises the firm’s Accounts system a resulting claim by clients or others for any losses that they have sustained would be covered.
The report concludes with the assertion that there should be no adverse impact on vulnerable clients, or any particular group of firms and the detailed rule amendment draft can be inspected at Annex 2. Those wishing to respond, and those many firms that have found themselves the victims of such events in particular, will find the consultation questions at para 21 of the report.
[1] Annual Report by the MLRO for the year ending October 2020, para 20