Cyber Risk Insurance for Lawyers in Tasmania

Since 2020-2021 all law practices in Tasmania insured through the Society professional indemnity insurance scheme are automatically covered by a cyber risk insurance policy. If you have any queries about this scheme, please contact the Society on (03) 6234 4133 or

Click here to access all Lawcover cyber risk information.

2021-2022 Cyber Risk Insurance Information for law practices

Lawcover & Law Society Tas TMK 2021-2022 Cyber Insurance Policy Wording

Undertake a Cyber Risk Assessment, here. Download the top 5 tips to minimise the risk of cyber-attacks, here.

Protect your firm’s data
Law practices hold large amounts of sensitive information about clients and others which may be accessible electronically. At the same time, data is an increasingly valuable resource that is likely to be targeted or inadvertently disclosed through security breaches. Solicitors’ duty of care requires maintenance of client confidentiality, and law practices have an obligation to protect confidential and sensitive information and to respond quickly and appropriately where there is a risk that this information has been or may be disclosed. For this reason, crisis assistance is an important aspect of the cyber risk policy.

Protect your systems
Many law practices are becoming increasingly reliant on the ongoing availability of computer systems and networked technology for their day to day activities, meaning the consequences of a cyber-attack resulting in a firm’s computer systems being damaged or taken offline could be severe.

The cyber risk policy will respond to cyber events such as ransomware and other disruption attacks. However, it is important to note that the cyber risk policy will not respond to problems unrelated to a cyber event which arise through failure to maintain a computer and/or network.

It is prudent for law practices to ensure that up-to-date antivirus protection is in place, and to undertake frequent back-ups to ensure data can be restored in the event of an uncontained cyber-attack.

The 2020/21 group cyber risk policy is underwritten by MS Amlin Syndicate 2001 at Lloyd’s. While the Society has purchased the group policy, in all other respects the cyber insurance relationship is between the insured law practice and MS Amlin.

Download the Policy, here. The policy limit for each law practice is $50,000 for all cover under the policy during the period of insurance.

Lawcover, the professional indemnity insurer of the legal profession in New South Wales has negotiated on the Society’s behalf a cyber risk policy that is specific to the risks faced by law practices. Subject to the policy terms and conditions, cover is provided for:

  • Cyber Costs and Expenses, being the reasonable and necessary costs incurred to investigate and remediate a cyber-attack on your computer network.
  • Loss of Business Income and increased costs of working suffered as a result of electronic business interruption arising from a cyber-attack.
  • Cyber extortion payments, to the extent insurable by law and with Insurer’s consent, arising from cyber extortion threats made against the Practice.
  • Privacy Regulatory Defence and Penalties arising from a breach of security, privacy or breach of privacy regulations as a result of a cyber-attack on your computer network.
  • Crisis management costs and customer notification expenses incurred as a result of a cyber-attack or breach of privacy regulations.
  • Cyber liability to third parties to the extent these liabilities are not covered under the LST PII Policy or other relevant policies

The applicable excesses under the cyber risk policy are based on each practice’s gross fee income for the last complete year. The table below shows the applicable excesses law practices will need to pay should a claim be made under the policy.

Last Complete Year Fee Income
Maximum Excess
$0 $100,000 $1,000
$100,001 $1,500,000 $1,500
$1,500,001 $4,000,000 $2,500
$4,000,001 $7,500,000 $5,000
$7,500,001 $20,000,000 $7,500
$20,000,001 $40,000,000 $10,000
$40,000,001 $60,000,000 $17,500
$60,000,001 Unlimited $25,000


Law practices should consider whether this limit and breadth of cover is sufficient for their individual needs. An insurance broker or professional adviser will assist in making this determination

Changes to the Privacy Act 1988 (Cth) from February 2018 require mandatory reporting of eligible data breaches for many law practices.

Regardless of size, all law practices should be aware of the privacy legislation because:

  • Larger practices with annual turnover in excess of $3 million are subject to the legislation by default
  • Practices holding tax file numbers are subject to the legislation for the purposes of those records
  • Many law practices hold health records, which fall within the legislation (for example practices acting in personal injury litigation and holding medical information or practices holding medical certificates in relation to individuals’ legal capacity for the purposes of powers of attorney)

If your law practice falls into any of these categories it is required to comply with the new privacy regime.

Even if your law practice does not fall within this regime, protection of clients’ sensitive information is required under Solicitors’ Rules. Adequate cyber security protection is therefore an important component of modern legal practice.

The Law Society has purchased a foundational group cyber risk policy which covers law practices insured by the professional indemnity insurance scheme administered by the Law Society within the limits specified. Whether or not your law practice already has a cyber risk policy, this insurance is available to your law practice should you choose to use it.

As noted above, law practices can consider increasing the limit and breadth of their cyber cover having regard to this policy and should seek professional advice.

There will be no reduction in the PII premium paid by law practices if they choose not to utilise the cyber risk policy, because the policy is provided to insured practices without cost.

To notify a cyber event under the policy, the law practice should contact the incident response team at CBP Lawyers who will make an initial coverage assessment. Notifications must be made as follows:

Phone: 1800 BREACH (1800 273 224)


The Colin Biggers & Paisley Lawyers incident response team will assess the notified cyber event and advise the law practice whether coverage is available and if so, will act on a reservation of rights basis from that stage.

Your professional indemnity insurer is not the insurer for the cyber risk policy and notifications should be made directly to the CBP Lawyers incident response team as above.

If you are concerned that a third party might bring a claim against you as a consequence of a cyber event, you may have a claim under the Society’s professional indemnity insurance scheme. Please contact the scheme’s claims manager, Fleur Dewhurst,  or 0427 800 030

Contact the incident response team at CBP Lawyers who will make an initial coverage assessment.

Phone: 1800 BREACH (1800 273 224)


The Response Team will, after confirming coverage:

  • Triage your matter to ensure the practice is put in contact with the right people, which may include a provider on its panel of IT security consultants  (e.g. Zirilio).
  • Assist, in conjunction with the IT provider, in assessing whether a security breach has occurred and if so will assist with system isolation and remediation. The Policy covers costs of remediation and restoration to pre-breach status but does not cover loss of funds as a result of business email compromise or social engineering frauds.
  • Provide advice as to whether a notifiable data breach under the Privacy Act  has occurred if so, who to contact or whether an exemption applies.
  • Advise, if/where appropriate, on any obligations under the firm’s own cost agreement or retainer (where these include a privacy policy or specific privacy terms).
  • Work with the firm to assess whether there is a claim for loss of income / business interruption as a result of the cyber event.
  • Subject to the circumstances, may advise or work with the firm to manage extortion claims and payment of ransom (after all other solutions have been exhausted).