Much of our work involves engaging with law firms and answering their questions. One that frequently arises is whether it’s compulsory for a firm to purchase additional cyber insurance. The short answer is no—it isn’t compulsory.
For firms regulated by the CLC, the Participating Insurer Agreement explicitly states that insurers cannot require a Practice to take out any additional policies with them. Quotations must be provided separately and on a standalone basis.
That said, the Regulator acknowledges the clear advantages of having cyber cover. Their website notes: “We encourage practices to consider taking out specialist cyber cover.”
Similarly, for SRA-regulated firms, guidance from the Law Society explains: “Purchasing cyber insurance is not a strict regulatory requirement for solicitors, but it’s a sensible precaution and may help firms to meet their regulatory responsibility to ensure that they ‘identify, monitor and manage all material risks to [their] business’.”
These are perspectives we wholeheartedly support.
Law firms are attractive targets for cyberattacks due to the large volumes of client funds and sensitive data they manage. Breaches can - and do - occur, often resulting from human error, regardless of the quality of training or technological safeguards in place.
Even relatively small firms can face costs running into tens of thousands of pounds in the wake of a cyber incident. In such situations, insurers’ 24-hour helplines become invaluable. They provide immediate access to expert support to assess the breach, prepare regulatory reports, and guide you through a complex and unfamiliar landscape.
Given the nature of these incidents, it’s often necessary to notify both your Cyber and Professional Indemnity insurers of a potential claim. Coordinating both policies through the same broker can streamline the process - offering a small but meaningful reassurance during what is likely to be a highly stressful time, with pressure coming from staff, clients, lenders, and others.
Some insurers go a step further, helping to reduce the risk of a claim before an incident even occurs. Many offer risk management tools, subsidised services, or staff training as part of their policy - valuable extras worth considering when selecting your insurer.
Ultimately, while cyber insurance may not be compulsory, there are plenty of compelling reasons to consider it.
.
