As recently as October 2018 the International Bar Association published Cybersecurity Guidelines which are available at www.ibanet.org. The duty to safeguard the confidentiality of client information is as old as the profession. In processing both the client information and our own business information, the vast majority of which is in electronic form, legal professionals who choose to avail themselves of the undisputed advantages of information and communications technologies are duty bound to understand the risks of doing so, and to establish and maintain safeguards against the risks that they may be exposed to. Against this background the LSSA has for many years published guidelines on Information Security and Protection of Personal Information that have been available on its website at www.lssa.org.za. The guidance provided by the LSSA is confirmed in the Cybersecurity Guidelines and every legal professional who processes information electronically should, if they are diligent in discharging their duties, read and become familiar with these guidelines.
Use of the guidelines must be recognised for what they are. They provide assistance but are not definitive checklists. We all process different information, use different technologies and have different perceptions as to how information should be processed and the security safeguards appropriate to the processing. This demands that legal professionals must devote time to understanding cyber risks and what security is appropriate. It must also be accepted that the obligation that rests on legal professionals, because of the sensitivity of the information that they process and their professional duty, is onerous.
It is only once risks are understood that decisions may be taken as to whether the risk:
- is acceptable (the consequences may be insignificant or even if the consequences are significant the chances of the risk actually being realised are remote); or
- if unacceptable, what the appropriate control measures are that must be established, implemented and consistently maintained to protect client and business information.
If a risk assessment is properly conducted it will become evident that some risks are extremely difficult to protect against and despite the best endeavours of parties seeking to do so, cyber liability insurance may need to be considered. As an integral part of the Cybersecurity Guidelines, in chapter 2 dealing with Organisational Processes and under the heading “Consider Cyber Liability Insurance”, the guideline points out:
- “ Even if law firms implement their best cybersecurity technologies and processes, firms will still have some level of risk exposure [residual risk].
- Law firms should assess their risk exposure as outlined and take out adequate cyber-insurance as part of the firms overall cybersecurity risk mitigation strategy.”
The reality is that in South Africa cyber liability is expressly excluded from cover provided by the Attorneys Insurance Indemnity Fund (AIIF). As a result many legal professionals are not covered against cyber risks and therefore will be unable to recover from a serious breach resulting in significant financial exposure.
The risk to the legal profession in South Africa is exacerbated by our being the second most targeted country in the world with regard to cyber-attacks. In the case of business eMail compromises, the AIIF reported in August of 2018 that since the exclusion of cyber liability insurance with effect from the 1st July 2016 they had been notified of over 110 cybercrime related claims with a total value of R70 million.
In considering cyber liability insurance, it must be understood that as with physical insurance, the insured has an obligation to establish and maintain appropriate security measures as a condition of the grant of insurance cover. In the same manner that unprotected physical premises will be either uninsurable, alternatively subject to extremely high premiums and excesses, so too will cyber insurers require that the insured fulfils certain minimum requirements. Where an insured has taken cognizance of the guidelines provided by the LSSA and the IBA it is highly likely that most of these boxes will be ticked.
As both cybersecurity and cyber liability insurance are a rapidly developing field, the LSSA Cybersecurity Helpdesk will, on a continuous basis, engage with information security professionals and cyber insurers in seeking to address issues which are specifically appropriate to the profession. In this regard it is proposed that a list of underwriters providing cyber liability insurance will be published on the LSSA website. This will provide contact information of underwriters who legal professionals or their brokers may approach in addressing this critical aspect of legal professional’s cybersecurity management.