Law firms have benefited from a relatively settled risk environment, despite a run of crisis-linked claims. But Legal Business’ annual risk survey finds dangers new and old lurking beneath the surface.
On the face of it, news in December 2014 that the number of professional negligence claims against solicitors had tripled in a year, based on research from RPC, was enough to give law firm risk managers and professional indemnity insurance (PII) specialists pause. RPC reported that High Court cases against law firms for professional negligence had increased by 192% from 143 in 2013 to 418.
But before panic set in, Joe Bryant, a partner at RPC, said that while the increase ‘looks like a pretty shocking, sudden and unexpected rise’, the primary reason for the sharp jump was because the time limit for pursuing professional negligence claims arising from losses stemming from the global financial crisis is closing. Claimants have six years from the date of the alleged negligence in which to launch an action in the courts. RPC said many of the claims involved property and conveyancing disputes, and include subprime mortgage lenders as the claimants.
Do you believe that OFR processes are completely effective and understood within your firm?
Has the SRA’s move to outcomes-focused regulation (OFR) created more confusion over risk management?
Has your firm completed its internal processes for dealing with OFR?
Commenting at the time, Stephenson Harwood senior partner Roland Foord told Legal Business that the spike was the result of claimants getting off the fence and filing claims before time ran out. Whether those claims would stick or even get served on firms was an entirely different matter.
‘People have been waiting, because they haven’t wanted to jump into litigation, and funding has become much more readily available in the last few years,’ he said. ‘I can’t imagine the increase is because solicitors have become three times more negligent!’
Such news will come as a relief to risk management specialists at the Legal Business 100 law firms. Although the PII market is as benign for top firms as it has ever been, the last thing risk specialists need is a flurry of substantive claims against them. As the findings of our eighth annual risk management and professional indemnity survey with broker Marsh show, risk teams at firms have plenty to worry about already, with regulatory pressures, cyber security issues and legal changes in compliance areas, like anti-money laundering laws, all circling.
The experience from firms surveyed suggests that, overall, claims are down. This is despite a number of high-profile cases against law firms in 2014.
In July, Nabarro paid out £10m to settle a £130m claim against it by a former client unhappy with its handling of a litigation matter. In a statement, the firm said it had vigorously contested the claims and that the settlement by its insurers ‘is not an admission of liability’.
It was not the only firm to pay out to settle a claim in 2014 by any means. Weil, Gotshal & Manges paid more than £3m to settle a professional negligence case made against it in late 2013 by private equity house The Bancroft Group, while Clifford Chance was joined to a £130m derivatives dispute between JP Morgan and German public transport provider Berliner Verkehrsbetriebe for allegedly providing negligent advice – the case was later settled.
Would your firm consider outside investment as a method of raising capital?
Did your firm receive a visit from the SRA during 2014?
Elsewhere, Withers confirmed last spring that it would appeal a High Court decision that ordered the firm to pay £1.6m in damages after upholding a claim by executive search company Wellesley Partners over the drafting of an LLP agreement. And, as recently as November 2014, news emerged that Global 100 stalwart Fried, Frank, Harris, Shriver & Jacobson is facing a €10m-plus professional negligence claim made by a former client alleging multiple breaches of duty over advice provided on the enforcement of a commercial loan in France. Also in November, liquidators for Scottish football club Rangers confirmed a £24m settlement had been paid by City firm Collyer Bristow over fees it received from the club’s controversial 2011 takeover.
But despite these much-publicised examples, feedback from risk managers and industry specialists suggests that overall the claims market against solicitor firms, especially those at the top, is pretty much flat.
‘We would probably say that there has been a decrease [in claims], although it is marginal,’ says Sandra Neilson-Moore, financial and professional liability practice managing director at Marsh. ‘It is pretty clear that when economic times are bad, there will be more claims. Things are generally getting better (at least in the UK), and that seems to be resulting in more work and fewer claims.’
The potential causes of claims in the eyes of risk management specialists are largely unchanged on last year as well (see table). They believe that errors made by staff/lawyers on routine, ‘bread and butter’ transactions have the greatest potential to give rise to a professional negligence claim. Strangely, the joint-most likely reason last year – errors made by staff/lawyers on complex, high-value transactions – appears to have diminished somewhat, replaced by ‘lawyers advising outside their area of expertise’. The most logical conclusion to be drawn is that legal teams, after years of pruning, are being stretched again to the extent that even the basics are not being covered extensively.
Calmer waters
It will be interesting to see if these significant settlements will have a material impact on PII premiums at these firms. Generally speaking, law firms remain satisfied with the value for money they are receiving from the insurance market, with 70% of respondents feeling that their PII is reasonably priced and 21% saying it is not, compared to 57% saying ‘yes’ and 26% saying ‘no’ last year.
‘The market for the top 100 has remained pretty static and level – that’s certainly our experience of it in terms of price,’ says Jo Riddick, compliance officer for legal practice at Macfarlanes. ‘We got a better price this year, but it slightly increased as we’ve got more turnover.’
‘The PII market is very soft and premiums continue to reduce,’ comments Andrew Carpenter, managing director at Marsh. ‘Very large limits of insurance can be purchased for very low premiums relative to the protection provided. Compared to other costs, this (although substantial) is likely looking to most firms to be reasonable in absolute terms.’
However, a significant number of risk specialists still feel that there is not enough competition among insurers to create a true PII market for law firms – although this has calmed down significantly from last year, where 50% said there was inadequate competition, to just 28% complaining this time around. One theory is that insurers are feeling more comfortable about providing cover to law firms, which is bringing more competition to the market. As Craig Perry, general counsel (GC) of CMS Cameron McKenna, observes: ‘There is competition in the PII market. More competition can never be a bad thing, but I don’t see it currently as a particular problem.’
What are the biggest underlying causes of professional malpractice claims generally?
What is the size of your risk team?
Riddick points out that Macfarlanes has used the same provider for PII for the past 25 years, largely because the firm has a good claims record that has kept premiums down and the fact she has a very good relationship with claims managers with the incumbent insurer. ‘We do go out and look around from time to time, and I’m regularly approached by brokers, but we have stuck with the incumbent,’ she says.
Neilson-Moore observes that ever since the end of the Solicitors Indemnity Fund, there have been only a handful of primary insurers that will provide quotes for the largest firms. However, she adds: ‘There are at least four or five that will do so and the number is growing. Not quickly, but it is growing. Adequate competition is a function of the attractiveness of the firm to the insurers and the skill of the broker however; some firms will get more from this process than others, for that reason.’
One particular reason behind the slowly growing interest from a wider cast of insurers in the solicitors’ market is the scrapping of the assigned risks pool (ARP) in 2011, the repository for failing law firms that could not get PII cover, which was funded by the insurance industry and ultimately paid for by larger firms through inflated premiums. Instead, the Solicitors Regulation Authority (SRA) opted to close firms down that failed to obtain cover. As of 6 January 2015, 49 firms in total entered the cessation period for not renewing their PII, of which 12 had already filed notice of closure and had largely completed the winding down process.
‘The scrapping of the ARP is a very good thing,’ says Carpenter. ‘Forty nine firms in the cessation period is a very small number. The much-prophesied “doomsday”, following the scrapping of the ARP, has simply not occurred. The insurers should be pleased to have “won” this one. It is now the insurer’s choice to insure or not to insure (rather than getting rejected risks in through the ARP back door) and that is how it should be.’
This sentiment is echoed by those working at firms. ‘The removal of ARP was overdue and was broadly welcomed as it removes an uneconomic cost,’ says Emma Dowden, director of best practice and operations at Burges Salmon.
Cleaning up: anti-money laundering is high on the agenda
One area of perennial concern for risk managers, that has moved up the agenda in the last 12 months, is anti-money laundering compliance. As the Fourth EU Money Laundering Directive wends its way through the European jurisdictions at press time, the topic has been driven up the agenda by the Serious Crime Bill in the UK, which was introduced during the summer of 2014. One particular area of concern is a new offence of ‘participation in an organised crime group’, which is intended to target ‘professional enablers’ – including solicitors, accountants and other professionals – who aid criminals to carry out their activities. But while this included advisers that ‘unwittingly’ aid criminals in the original draft, The Law Society’s money laundering task force successfully lobbied the government over the summer and early autumn, to help convince the Home Office that the offence was drafted too broadly in terms of the low burden of proof required to show a person had ‘actively’ facilitated crime. It was problematic in that it could have easily caught people inadvertently involved, along with the very few actively turning a blind eye to avoid being prosecuted for their complicit participation. The upshot was that the money laundering task force persuaded the government to amend the mens rea of the offence from ‘reasonable cause to suspect’ to ‘reasonably suspects’, which means that the test is more subjective, so that an ‘unwitting’ person is now far less likely to be caught by the remit of the offence.
Nonetheless, the role of lawyers and their procedures for complying with anti-money laundering laws has been particularly under the microscope during the past 12 months. As recently as January this year, Keith Bristow, head of the National Crime Agency, said in a speech at George Washington University: ‘The involvement of a small minority of complicit, negligent or unwitting professionals in the financial, legal and accountancy sectors facilitates money laundering.’
The SRA has also focused heavily on anti-money laundering, and launched a thematic review to work with firms in September 2014 to ensure robust systems are in place to guard against involvement in money laundering that and firms are compliant with the current regulations and legislation. Money laundering protocols have also been the focus of many Solicitors Regulation Authority (SRA) visits to firms during the past year, where it has been testing systems used to report money laundering and evaluating how well firms are using these systems.
‘The SRA is conducting a thematic review of high-impact law firms. There are real concerns over perhaps how effectively the anti-money laundering processes and procedures are being complied with in the legal profession,’ says TLT’s risk director John Verry. ‘It’s a concern, and it’s an area that is very easy to fall into through stupidity or naivety and a culture of over-trusting clients, and there’s a constant theme of education within the firm. However, you need to strike a balance and if you bang on about criminal activity too much, the less notice people may take. The actual impact of a money laundering breach, not least from the reputational damage as much the event itself, is high.’
Big concerns for the SRA are the source of funds – about firms being vigilant on where that money is coming from and not paying lip service to client due diligence.
‘I’m not saying that firms are lackadaisical about it, but people do think that because they’ve done client due diligence, everything is going to be alright,’ adds Verry. ‘Well it’s not – it’s about keeping that awareness throughout the lifecycle of the relationship. A client might be asking you to do what appears to be a perfectly normal transaction, but that transaction might just be a vehicle in which to launder funds.’
Within that, one particular area of concern for top-100 law firms is that of beneficial ownership, ie determining who the ultimate beneficiary of a particular transaction is.
‘[The new rules] will require a holistic risk assessment – that’s often a challenge when identifying beneficial ownership within complex structures and doing that in a way which is timely in the running of the matter – getting the client due diligence right at the outset matters,’ says Emma Dowden, director of best practice and operations at Burges Salmon.
Jonathan Westwell, general counsel and partnership secretary at Baker & McKenzie, says a major challenge is getting hold of the beneficial ownership information in the first place in a global law firm. ‘In a truly global firm, the challenge you have is complying with varying legislative standards across the world. This requirement is very familiar in some markets, but in other markets it is totally alien.’
Clear and present danger
One economic cost that is likely to have a material effect on PII premiums and has given rise to a discrete area of insurance coverage is cyber security and data breaches. Clare Jaycock, director of risk and compliance at RPC, says that the firm has had cyber insurance for the last five years. ‘We’ve certainly had it in place since the time some law firms were pooh-poohing it,’ she says. ‘We saw it as being a risk, and you have to be realistic and look at what changes are happening in society and the world, and do what you can to meet the risks you are presented with.’
CMS’ Perry says that he expects a much wider take-up of cyber insurance by law firms and has added cyber policies to the insurance that the firm already purchases. ‘It’s been a hot topic for some time now. We have obviously been watching the issue closely. We treat information security in all aspects – not just IT but wider aspects – seriously. Teams involved in that area keep aware of best practice and are aware of threats.’
Conversely, Riddick argues: ‘It’s not something we’re currently taking. The majority of our risk is client-facing, which is our key concern, and is covered by our professional indemnity insurance. We also have a separate crime policy, which will look after the people-facing risks if there was some kind of criminal attempt, so we don’t see a present need for standalone cyber insurance, though we are certainly keeping that under review.’
But regardless of whether firms have bespoke cyber insurance in place or not, that the subject is even on the table is a reflection of how IT security is the number one headache for risk managers. A glance at our risk profile chart shows that an IT security breach, or data management accident or breach, remains by far the biggest nightmare for law firm risk managers. Not only does it have the highest aggregate score across the two charts for ‘impact’ and ‘potential’ – it has an aggregate score of 3.6/5 (up from 3.4 last year) – it has now supplanted a natural disaster or business continuity failure and the situation where the firm’s liabilities exceed the limits of its insurance cover as the most dangerous potential risk in terms of impact on the firm.
LEGAL RISK PROFILE 1: What impact would these situations have on your firm?
LEGAL RISK PROFILE 2: What is the potential for these situations occurring at your firm?
LEGAL RISK PROFILE 3: what is the potential of these professional negligence situations occurring at your firm?
There can be no doubt that cyber security has moved even higher up the agenda in the last 12 months. In July last year, whistleblower Edward Snowden urged law firms to encrypt their data as the sector is among those at high risk of surveillance threats. Indeed, according to PwC, nine out of ten UK organisations had a security breach in the last year and the UK government rates cyber attacks as a tier 1 threat to the nation. The Sony hack just before Christmas hiked governmental tensions between the US and North Korea, while hacks in retail have cost at least one US executive their job.
In our mobile cyber security feature ‘Pay as you go’, published last summer, EJ Hilbert, head of cyber investigations at Kroll EMEA and a former FBI special agent, told Legal Business that professional services firms are the number one target for cyber criminals who are after client information. Data is a commodity and the information firms collect from their clients for anti-money laundering compliance is exactly the information that cyber criminals buy and sell. He also observed that ‘compliance isn’t security’ – the threats are developing at such as pace that firms have to be ahead of the curve, rather than merely ticking boxes.
Law firms are fully aware that cyber attacks aren’t something that happen somewhere else. As Jonathan Westwell, GC and partnership secretary at Baker & McKenzie, observes: ‘If the CIA can be hacked, then any business in the world can be hacked.’
‘It is being driven up the agenda and a lot of it is coming from clients,’ says John Verry, risk director at TLT. ‘You see things like Sony and North Korea, and think: “What’s that got to do with us?” The fact is law firms are a hugely fertile area for these professional hackers, and there’s a lot of sensitive and confidential information held on behalf of corporate and government clients. As a profession, we need to be alive to the ease with which these hackers get into systems and the damage they can cause. The losses can be enormous, so it can be a catastrophic risk. It factors highly on the “sleepless nights” scale.’
Do you think your firm’s PI insurance is reasonably priced?
Is there adequate competition in the solicitors’ professional indemnity (PI) market?
There is no doubt that there is a certain amount of scaremongering going on, particularly as regards enticing firms into taking on specialist cyber insurance cover. But the threat is tangible: one risk manager recalls the time that a consultant came into the firm to talk about IT security and, during the course of the presentation, managed to hack the phone of one the lawyers present. Another risk specialist anecdotally reveals having heard third hand about a top-100 firm looking to acquire a smaller firm that got hacked during negotiations and derailed the process.
Neilson-Moore at Marsh warns firms against panic buying extra cover in the current climate. ‘Everyone is a little more worried about it following the high-profile breaches that have been in the press in recent months,’ she says. ‘What the firms are doing about it is largely driven by their clients, who (quite naturally) want their sensitive data, which the firm is holding for them, to be safe. Insurers are not doing anything specific about prevention, but are continuing to develop and push firms to purchase cyber security policies. This insurance is still very inexpensive and we are not convinced that all of them dove-tail properly with PII. Firms should not simply purchase “off-the-shelf” policies for this. They should ensure that they work with a broker who knows how to tailor the cyber policy so that it interacts properly with the professional indemnity policy.’
Clients are certainly driving the focus on data security within law firms. The most clear manifestation of this is the increasing use of IT audits by clients of their preferred advisers, which are becoming comprehensive. Jaycock says RPC has often had clients with service-level agreements and the firm agreed to give them access when they want to do an audit, but this was rarely used in the past. ‘Now we are finding they are saying we do want to come round and audit. In a recent information security audit, the client had appointed an information security professional to conduct the audit. He raised many detailed and piercing questions.’
‘It is very high on the radar, not least because our clients are concerned about cyber security and in fact our larger clients – our banking clients – audit us on cyber security, which actually we find quite helpful as we can benchmark what we’re doing against what they expect us to be doing,’ says Riddick.
Both Jaycock and Riddick report instances where a client-appointed expert has put forward questionnaires with in excess of 100 detailed questions, ranging from technical questions that will require the head of IT, such as how the firm manages its firewalls and patches, to issues relating to physical security, such as how the firm protects physical access to the premises (and by extension hardware), the use of cameras and swipecards, etc.
But there is an irony to all this. On the one hand, clients insist firms use the latest technology but those same clients are themselves trying to meet restrictive standards, so they want all the quick fixes and quick solutions, but at the same time demand stringent information security requirements. The same clients who want quick fixes are the ones saying they want to audit firms and see if they have got information security at a sufficient level to suit the regulatory requirements.
The one way to counter this is to get industry-standard approval for the IT systems up front. The best way of achieving this is the ISO 27001 – the information security management system standard – certification for IT security. Verry says: ‘There’s nervousness among clients that law firms generally aren’t taking the right steps to secure their data. Generally among law firms, cyber security is viewed as something of an Achilles heel. I’ve always been concerned about data breaches, which probably stems from my time in the insurance world in the City. It’s very much client-driven – that is why we’ve obtained ISO 27001, to focus on these areas and pull compliance together.’
Nicole Bigby, partner and director of risk at Berwin Leighton Paisner, says her firm benefited from a committed effort to win ISO accreditation for the firm’s London office several years ago. It involved a lot of work around not only technical information security, such as perimeter testing and looking at potential vulnerability in IT infrastructure and architecture, but also looking more generally at the people, systems and processes that sit around IT; how the firm manages client information; supplier contracts; HR processes; facilities; and physical security.
‘We didn’t take a segmented approach in seeking to accredit just a particular system, such as document management,’ she says. ‘We took an integrated, holistic approach and certainly managing the size and scale of that project was a challenge, and just continually reinforcing those messages, and made sure all of our staff are continually aware of security issues that may well arise as a result of their actions and others, so we need to be continually aware, and educate and monitor the way people may look for vulnerabilities.’
The effort was worthwhile, she contends, because of the recognition accreditation attracts. ‘ISO 27001 is probably the recognised international benchmark for information security; a number of our large clients will be ISO 27001-accredited themselves. Some of them, depending on their sector or requirements, may ask for information above that. For some clients the accreditation is enough; some clients may also look at independent audit requirements.’
What is the annual cost in pounds sterling for each £1m of insurance purchased within the first £10m of the firm’s coverage?
Average total insurance cover for the top 150 UK firms
Regulatory confusion
Looking to the risk calendar for 2015, two high-agenda issues that will be keeping compliance teams busy are rapidly developing anti-money laundering legislation (see box, ‘Cleaning up’) and regulatory concerns over the SRA redrawing the ‘separate business rule’, in chapter 12 of the SRA Code of Conduct 2011, which has become outdated.
The SRA launched a consultation over the separate business rule, which covers when a law firm has a business interest or owns a business that is not regulated by the SRA. The SRA does not police this business, which could fall under the purview of the Financial Conduct Authority (FCA), for example, but rather the links between the law firm and this separate business. The consultation, which was closed in mid-February, also looked at expanding the services solicitors can provide as SRA-regulated businesses to include business support services, such as outsourcing, HR, transcription and also accounting.
Riddick says the rule changes are something that she has been looking at very carefully, particularly as she sits on the professional rules and regulations committee of The City of London Law Society (CLLS), which was highly critical of the SRA’s consultation in mid-February. The CLLS said the rule changes could cause ‘irreparable damage’ to the profession and ‘drive significant numbers of the profession’ into the unregulated sector.
Says Riddick: ‘The SRA is looking to permit regulated law firms to hold passive stakes in unregulated legal business on the basis that solicitors can’t practise in them, but it’s interesting that the feeling we are getting from the SRA – and this hasn’t been formalised or confirmed yet – is that they are moving towards a situation where they will permit solicitors to practise and compete in the unregulated sector, perhaps subject to some light-touch regulation.
How has the cost of the first £10m of the firm’s coverage changed, compared to last year?
How has the cost of the total limits of your firm’s indemnity changed, compared to last year?
‘The SRA view is changing to becoming a regulator where it regulates and is seen to regulate, only where it needs to. I suspect before too long there will be more freedom to practise in the unregulated sector and we will start seeing some very high-end, well-funded, private equity-backed law firm players operating there.’
Meanwhile, battle lines are being drawn between cross-industry regulators on the separate issue of consumer credit. This tussle sees a clash over what types of consumer credit work done by solicitors fall under the exempt professional firms (EPF) regime. The SRA is consulting on removing consumer credit work from the EPF. If that happens then law firms will have to get FCA approval to conduct a whole host of business-as-usual activities, such as arranging third-party funding, debt recovery and negotiating arrangements with creditors and lenders. The fear is, once the FCA has its claws into the legal profession – even in a limited capacity – then firms run the risk of being dual-regulated – something that means time, money and hassle.
‘We have a number of regulators and there will come a time when there’s a clash of heads over regulators,’ says Verry. ‘Risk management is meant to be targeted and proportionate. How is that meant to be the case with some of these regulators who are actually overlapping with the same types of work? This might not affect the larger firms, but certainly some quite sizeable ones and it is another layer of regulation to deal with, which impacts on costs and resources.’
Perry points out that a final decision on how the regulation will pan out has been postponed until October, but comments: ‘The fact that they put matters back from April to October suggests there will be some sort of resolution between the two regulators, but I don’t know. Those things can have quite a big impact on a firm. Some might need to be dual-regulated, which would be a big issue.’
This confused regulatory landscape adds more blood to the water, as far as risk managers are concerned. With considerable dangers such as cyber security breaches and implication in serious corporate crime now a much more likely threat to law firms than they have ever been, combined with some big recent scalps from negligence claims against firms, risk managers have more dangers than ever to avoid. LB
mark.mcateer@legalease.co.uk, michael.west@legalease.co.uk
Legal Business would like to thank Marsh for its sponsorship of this survey.