In Conversation With…Brian Boehmer
We are very grateful to Brian Boehmer for making time to share his observations on a number of risk management related issues. As many of our readers will be aware, Brian is a Partner at Lockton specialising in Professional Indemnity Insurance for all professions, particularly for Solicitors, IFA's, Insurance Brokers and Surveyors. In addition to managing a portfolio of clients, he has a leading role in negotiations with insurers. Brian has a wealth of experience in structuring and administrating group insurance solutions - most recently for the Quality Solicitors group.
What are the current trends and disrupters shaping the UK PII market?
Recent developments in the insurance market have meant that the professional indemnity (PII) market is showing signs of hardening for the first time in many years. Some practices will have already been affected and experienced some hardening of rate for their working layer, which is the first layer of coverage above the compulsory limit up to £10m.
Originally, this was partly due to a number of insurers already discontinuing writing of this class in this layer. All of the insurers that have exited the class have cited claims activity as the main driver. The modest premiums often collected for this layer mean that it does not take much to wipe out the entire premium collected in any one year; depending upon the severity of the losses experienced, this could even span several years of collected premium.
In addition to this, recent reports from Lloyds of London revealed that Non-US PII was the second worst performing class in Lloyds. In August, the market witnessed the withdrawal of Libra Managers, which provided PII to 20 of the top-200 law firms. The insurer confirmed it would not underwrite any new business from 1 October.
Despite this, the market is in relatively good shape thanks to the availability of strongly rated capacity, particularly for smaller firms. Those firms that spend a little more time with their presentations, to provide a greater insight into their practices, are generally reaping the reward.
The aftermath of some failed unrated capacity is yet to hit, the latest being the Danish insurer Alpha A/S and CBL. Subject to the Financial Services Compensation Scheme (FSCS) rules, those firms who have less than £1m in fees should have an element of protection. The FSCS will pick up 90% of any loss suffered (after excess) meaning that the firm is liable for 10% of the claim and the excess. This could be catastrophic for some firms, especially if the claim is of significant value. Sadly this may also result in forcing some firms to close, especially if they do not qualify for FSCS support. Only time will tell the impact that this might have on the Errors & Omissions of those who sold and recommended these policies.
In light of the uncertainty in the Insurance market outlined above coupled with Brexit on the horizon, it may well be prudent for firms to lock into longer term deals if they are available.
What major trends have you observed over the past five years as regards the degree to which technology, including social media, presents new risks to identify and manage?
With an increased reliance on technology, it has become the emerging risk area for the profession. Many of us will access systems on the go, and it is not uncommon for us to have a PC, a laptop or iPad for when we are on the move, along with a device that also allows us to send and receive emails. If that were the case for every employee of an organisation, a firm’s attack surface is multiplied by three. The more devices and systems that we use, the greater vulnerability and potential attack opportunity for criminals we create. Increased cyber-related security is essential for all businesses, which has to be continuously updated and reviewed.
The biggest trend for the legal profession during the last five years has to be the much publicised “Friday afternoon Fraud”, so-called because a number of these incidents have occurred on a Friday afternoon when many conveyance transactions complete. However, these scams are not exclusive to Fridays, but can happen throughout the working week and generally involve some form of email interception. This could be a law firm interacting with the criminal, thinking they are a client. Alternatively the client could interact with criminals impersonating the law firm. Either way, the damage can be catastrophic.
The increased use of social media in business presents another risk, because by its very nature, employees may be using these channels in their personal lives. This cross-pollination could lead to negative consequences for a business, one of the most significant being reputational harm.
A reputation can take many years for a company to build but only seconds for it to be destroyed or negatively impacted online. Having a social media policy and ensuring staff are aware of it are key. Training them on how to use social media responsibly and raising awareness will help to mitigate this risk.
What can be done to combat the extremely sophisticated and co-ordinated threat posed by cyber criminals? How is cyber affecting the PII sector? How will this affect the way insurers approach the handling of claims?
The staff of any professional service practice, are both their biggest asset and also their biggest threat. It is therefore of paramount importance to continually educate staff of the risks and raise awareness. The well-publicised “Friday afternoon scams” are still prevalent, and the approach taken by criminals has not necessarily changed since these incidents became more prevalent in 2015/2016. Through technology, their timing and the level of detail / sophistication that they use may have improved. Continued awareness is important so that this remains front of mind.
It is also important to consider that staff workload is managed so they do not make unnecessary errors or mistakes, that they would be far less likely to make without an unhealthy volume of work.
Cyber-related incidents are frequently being addressed by PI insurers when the end result is the law firm’s clients suffering a loss. Because of this, there is a greater scrutiny prior to an insurer offering terms around a firm’s cyber security. There is now an expectation that each and every law firm has appropriate measures in place and that they review their security and procedures frequently.
There is much discussion in the market at present as to the validity of insurance related to data breaches and whether fines and penalties might be insurable. Whilst cyber insurance may cover some aspects of data breaches, with GDPR, is data management part of the narrative law firms must address in PII proposal forms to gain good cover at the best rates?
Prior to GDPR, firms had a responsibility to ensure that their client’s data was safe and secure, so the landscape hasn’t necessarily changed that much. What has changed however are the greater threat that firms are faced with today, as society becomes ever more reliant upon the use of technology. It is essential that we all continually review our “cyber” security, and for business owners it is also prudent to have cyber insurance in place.
In the event of a breach, firms with a comprehensive cyber insurance policy have access to experts who can help them identify and rectify the problem. With insurance in place, it is much easier for a firm to get their business up and running again with the minimum amount of time and disruption to them and to their clients. Another added benefit of having cyber insurance in place is the positive view that the Information Commissioners Office (ICO) would surely take in the event of a firm suffering a breach, if the firm has clearly mitigated the damage and impact to their end client(s).
Are you seeing a change in the type of PII policies law firms are choosing in response to changing business models and emerging risks? In what other areas are insurers expanding their offerings to include additional coverage? For instance are you seeing more enquires about cover for regulatory defence costs in disciplinary proceedings, perhaps generated by press coverage of the SDT hearing into Leigh Day's handling of the Iraq war claims last year?
Due to the increased competition in recent years, some say that PII premiums are at rock bottom. As a result it is unlikely that we will see further movement in an insurers pricing, and so a number of insurers are looking at expanding their offering to provide more than the conventional Minimum Terms & Conditions (MTC) coverage.
The Law Society Gazette’s article on Leigh Day (https://www.lawgazette.co.uk/news/martyn-day--check-you-are-covered-against-sra/5061727.article) resulted in a number of insurers adding Regulatory Defence Cost coverage, not only to differentiate their offering from other providers, but also to meet the concerns that a number of firms had after reading the article. Due to the number of insurers making this coverage available, any differentiation was limited, apart from perhaps the limit and scope of cover.
A number of insurers are providing specific “add-ons” to expand MTC cover further, which may include limited aspects or small limits of Cyber, Management liability and COLP/COFA MLRO-specific coverages. To date, Inter Hannover is the only participating insurer who have developed a fully integrated product that specifically addresses the business risks law firms in England and Wales are faced with today. The product is called Interlock, whist providing client protection, like the standard MTC that all participating insurers must provide, Interlock provides seamless protection for a law firms business too, as this also includes regulatory defence costs, crime and cyber coverages.
With the emergence of ABSs and MDPs, the traditional legal service offering continues to evolve. Some of these practices may have exposures that would not normally or automatically be covered by an MTC PII policy, despite its depth and breadth. It is therefore essential that firms provide their broker with all of the information about their practice, beyond just legal services, to ensure that appropriate disclosure is made and that coverage for these activities are included, when it is possible to do so. Since GDPR, we are seeing an increase in the volume of firms providing DPO services, which is an example of an activity that would not typically be covered under the MTC. Depending upon your insurer, they may well extend coverage to include this but potentially an additional premium may apply.
Which traits or strengths do you think make for an effective legal risk manager?
An effective risk manager has an eye for detail, possesses analytical skills and is knowledgeable about their chosen industry. Importantly, they must also be open to change; be strategic, incredibly organised, calm under pressure and be able to influence. Whatever industry that they operate in, they must be empowered by that business, and importantly supported by its leaders to bring about change.
This has been prepared for general information purposes only, is not professional advice and should not be acted on as such. If you would like more details or professional advice, please contact Brian Boehmer at Lockton Companies LLP.
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.