The annual premium for the first 12 months (December 31, 2022–December 31, 2023) is $265 per Subscriber and will be invoiced by ALIA with the 2023–2024 annual levy payment due by June 30, 2023.

Subscribers who are required to pay the Part A levy are also required to pay the cyber coverage levy (Part C). As such, the Subscriber together with their law firm will be covered under the universal cyber coverage program (the “Zurich Policy”) automatically.

Subscribers can download a certificate of indemnity from the Law Society of Alberta’s Lawyer Portal. Certificates will be available after February 25, 2023.

The Zurich Policy is effective as of December 31, 2022, for 12 months. If the losses under the program are acceptable to ALIA’s cyber insurance provider, Zurich Insurance Company Ltd. (“Zurich”), then the Zurich Policy will be extended to June 30, 2024, to coincide with the ALIA Group Policy renewal date. After that, it is expected that the Zurich Policy will run annually with the ALIA Group Policy.

Subscribers who are required to pay the Part A levy are also required to pay the cyber coverage levy (Part C). As such, the Subscriber together with their law firm will be covered under the universal cyber coverage program automatically effective December 31, 2022.

If a Subscriber is suspended, they will not have coverage. If there are other Subscribers at the law firm who have paid the levy, then they should report the claim.

ALIA recommends that all Subscribers and their law firms practice good cyber hygiene, such as implementing critical network security controls and training staff to protect themselves and their firm from a cyberattack. Information on cyber hygiene can be found here.

Please familiarize yourself with the Zurich Policy coverage, limits and exclusions. Descriptions of coverage are found in the FAQs; however, Subscribers and their law firms should review the Zurich Policy in full. The Zurich Policy and its limits can be viewed in the Law Society of Alberta’s Lawyer Portal.

Zurich Policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

Subscribers who are indemnified for their private practice work will have cyber coverage for that work. However, if a Subscriber is also working in an in-house role, that work is exempt from the indemnity program and would also be exempt from the cyber coverage program, and no cyber coverage is available through ALIA for the in-house work.

The Zurich policy covers ALIA Subscribers and their Alberta law firm locations if there is no other cyber coverage in place. If there is other cyber coverage in place the Zurich Policy acts as excess coverage.

If there is no other coverage available and the Alberta location suffers a covered loss, then the Alberta location will have coverage. If office locations outside Alberta are also impacted, then coverage for those locations will depend on the IT infrastructure set-up. Subscribers and law firms should report claims to Zurich as soon as they are aware of a breach so that a coverage determination can be made.

ALIA also recommends that Subscribers and their law firms review the Zurich Policy in full, including the “Other Insurance” section. The Zurich Policy can be viewed in the Law Society of Alberta’s Lawyer Portal.

The Zurich Policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

Limits

The Zurich Policy and the Policy limits are available to Subscribers on the Law Society of Alberta’s Lawyer Portal.

The limits are per law firm per policy year.

While the financial limits under the cyber coverage program are modest, universal coverage ensures that all Subscribers have access to 24/7 claims advice and the expertise critical to managing a cyber breach, such as computer forensics and legal advice.

Zurich Policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

Description of Coverage

First-party cyber coverage covers the costs for a Subscriber or their law firm to respond to a data privacy or security breach, such as a data or security breach caused by a ransomware attack. Generally, when faced with a ransomware attack, a Subscriber or their law firm will require legal advice and digital forensic investigation. First-party coverage provides Subscribers with access to these experts. If a Subscriber or law firm has a claim, it should be reported to Zurich immediately. Please refer to the FAQ titled ‘How do Subscribers and their law firms report cyber claims?’.

Breach Response Costs

Reimburses the costs* to respond to a data privacy or security incident. Covered expenses include computer forensic expenses to investigate the security system to determine the cause and extent of privacy or a security incident, legal expense costs, costs for a public relations firm and costs related to advertising to restore a Subscriber’s or their law firm’s reputation, consumer notification and consumer credit monitoring services.

*Costs are for expenses incurred from third-party vendors from Zurich’s vendor panel (e.g., a forensics firm, a lawyer acting as a breach coach, a public relations firm) and do not include internal law firm costs (e.g., wages of internal employees to deal with the breach).

This coverage does not include digital asset restoration, which is reimbursement for costs incurred to restore or recreate intangible or physical assets (software or data) that are corrupted, destroyed or deleted due to a network security failure. Subscribers and their law firms can access these resources through Zurich at preferred rates.

Cyber Extortion or Ransomware

Reimbursement for expenses incurred in investigating and terminating a threat and any payments made to prevent or resolve a threat.

Any summary of the Zurich Policy contained above is provided for general information purposes only and not as legal advice and is qualified in its entirety to the terms and conditions of the Zurich Policy. Subscribers should review the Zurich Policy, available on the Law Society of Alberta’s Lawyer Portal, to confirm their obligations and coverage in any circumstance.

Zurich Policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

Limits

The Zurich Policy and the policy limits are available to Subscribers on the Law Society of Alberta’s Lawyer Portal.

Zurich Policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

The limits are per law firm per policy year.

Description of Coverage

Third-party coverage is also referred to as network security and privacy liability. It covers legal defence costs or damages for a Subscriber’s or their law firm’s liability to clients due to a network security breach or privacy breach, for example, liability caused by theft or disclosure of confidential information due to a computer security breach or failure to protect personally identifiable or confidential third-party corporate information.

Network Security

Liability coverage for defence costs and damages suffered by others resulting from a failure of computer security, including liability caused by theft or disclosure of confidential information, unauthorized access, unauthorized use, denial of service attack or transmission of a computer virus.

Privacy Liability

Liability coverage for defence costs and damages suffered by others for any failure by the insured, or someone for whom the insured is legally responsible, to protect personally identifiable or confidential third-party corporate information, whether or not due to network security failure. Coverage may include:

• Unintentional violations of the insured’s privacy policy.
• Actions of rogue employees.
• Alleged wrongful collection of confidential information.

Regulatory Action

Liability coverage for defence costs for proceedings brought by a governmental agency in connection with the failure to protect private information and network security failure. The coverage also includes fines imposed pursuant to privacy regulations related to failing to protect private information and network security failure.

Any summary of the Zurich Policy contained above is provided for general information purposes only and not as legal advice and is qualified in its entirety to the terms and conditions of the Zurich Policy. Subscribers should review the Zurich Policy, available on the Law Society of Alberta’s Lawyer Portal, to confirm their obligations and coverage in any circumstance.

Zurich Policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

Yes. There is a $5,000 deductible applicable to the first-party coverage and the third-party coverage, which the Subscriber must pay before accessing the coverage limits. Only one deductible applies if both the first-party and third-party coverages are accessed for a claim. The deductible payment does not erode the limit of available insurance; in other words, the limits apply above the deductible amount.

The Zurich Policy and the policy limits can be accessed on the Law Society of Alberta’s Lawyer Portal.

Zurich Policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

Social Engineering and Cybercrime

Due to the high cost and limited availability of insurers offering coverage for loss of funds due to cyberattacks and social engineering, this coverage is not included. Social engineering uses targeted, fraudulent emails and other communications to dupe a lawyer, law firm or client into performing an action (e.g., emails to transfer money to fraudulent accounts). For example, a cybercriminal will send an email that appears to be coming from a client asking a law firm to redirect the transfer of funds to a different account from what was initially agreed upon. In some cases, the cybercriminal has gained access to the client’s or lawyer’s email account.

Social engineering can be prevented with low-cost, easy steps. For advice on how to avoid social engineering losses, please review the FAQ titled ‘What can a Subscriber or their law firm do to protect themselves from cyberattacks and social engineering?’. ALIA also publishes ALIAlerts on fraud attempts against Subscribers, including social engineering fraud, with tips on how to avoid these losses. Subscribers are urged to read these tips.

Hardware Replacement

Reimbursement coverage to replace hardware rendered inoperable due to a security breach, such as computers.

Digital Asset Restoration

Reimbursement for costs incurred to restore or recreate intangible or physical assets (software or data) that are corrupted, destroyed or deleted due to a network security failure.

Business Interruption

Reimbursement coverage for the insured for lost income caused by a network security failure and associated extra expenses.

Dependent Business Interruption

Reimbursement coverage for the insured for lost income caused by a network security failure.

Reputational Income Loss

Reimbursement coverage for the insured for lost income caused by bad publicity resulting from a security event.

Payment Card Industry (PCI) Fines and Penalties

Coverage for a monetary assessment (including a contractual fine or penalty) from a payment card association (e.g., MasterCard, Visa, American Express) or bank processing payment card transactions in connection with an insured’s non-compliance with PCI Data Security Standards.

Media Liability

Liability coverage for certain defense costs and damages suffered by others for content-based injuries such as libel, slander, defamation, copyright infringement, trademark infringement or invasion of privacy.

Any summary of the Zurich Policy contained above is provided for general information purposes only and not as legal advice and is qualified in its entirety to the terms and conditions of the Zurich Policy. Subscribers should review the Zurich Policy, available on the Law Society of Alberta’s Lawyer Portal, to confirm their obligations and coverage in any circumstance.

Subscribers can download the Zurich Policy and view the policy limits on the Law Society of Alberta’s Lawyer Portal.

Policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

If a Subscriber or their law firm wants to secure higher limits or broader coverage than what is provided with the universal cyber coverage program, they should speak to their insurance broker. ALIA’s broker, Aon Reed Stenhouse Inc. (“Aon”), can also assist Subscribers and their law firms explore purchasing excess or additional coverage and can be reached via email.

Subscribers can download a certificate of insurance for the Zurich Policy from the Law Society of Alberta’s Lawyer Portal. Certificates will be available for download after February 25, 2023.

The certificate refers to the Subscriber’s law firm as listed in the Law Society of Alberta’s records when the certificate is downloaded. Subscribers should review their certificates to ensure their law firm is current. If a Subscriber moves to another firm, they should download a new certificate with up-to-date firm information. If your certificate does not refer to your current firm, please contact ALIA for assistance.

If a Subscriber or their law firm suffers a cyber attack and cannot obtain a certificate (e.g., they can’t access the Law Society of Alberta’s Lawyer Portal and don’t have a physical certificate on hand), please contact ALIA for assistance.

ALIA recommends that Subscribers and their law firms retain their certificates for each policy period of the Zurich Policy, as well as a copy of the Zurich Policy. Zurich will request certificates from Subscribers and law firms as part of the claims process.

If a Subscriber or their law firm has existing cyber coverage, ALIA recommends discussing whether it makes sense to cancel the coverage with their insurance broker. The existing policy could have broader coverage or higher limits than the coverage provided by the universal cyber coverage program with Zurich.

The Zurich Policy acts as excess coverage if the Subscriber or their law firm has other cyber coverage. However, there are some exceptions to this where the Zurich Policy will act as primary coverage (e.g., respond to the loss first). This includes if the Subscriber’s or their law firm’s policy was purchased as excess coverage or if they have some element of cyber coverage in a commercial general liability or property policy.

ALIA recommends that Subscribers and their law firms review the entire Zurich Policy, including the “Other Insurance” section, with their insurance broker.

The Zurich Policy and the policy limits can be accessed on the Law Society of Alberta’s Lawyer Portal. The limits are available to review now, and the policy is expected to be available to review by December 9, 2022.

Zurich Policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

If ALIA does not renew the Zurich Policy or your law firm is no longer carrying on a business (for example, the firm is wound down or merges into or is acquired by another firm), coverage ceases and the Zurich Policy includes an automatic extended reporting period of 60 days immediately following the termination of the Policy for third party claims only. If a Subscriber or their law firm wants to purchase an extended reporting period beyond the 60 days, they can contact Aon for information.

If a Subscriber changes their Law Society of Alberta membership status, coverage ceases and similar extensions may be available. Please contact Aon.

ALIA recommends that Subscribers and their law firms contact Aon for advice on coverage implications where firms may no longer carry on business or where Subscribers change their Law Society of Alberta membership status. Subscribers should similarly contact Aon if the Subscriber or their law firm is joining a foreign law firm that is not covered under the Zurich Policy.

If the Zurich Policy is not renewed, ALIA is not obligated to Subscribers to purchase an extended reporting period beyond the automatic extended reporting period of 60 days.

Any summary of the Zurich Policy contained above is provided for general information purposes only and not as legal advice and is qualified in its entirety to the terms and conditions of the Zurich Policy. Subscribers should review the Zurich Policy, available on the Law Society of Alberta’s Lawyer Portal, to confirm their obligations and coverage in any circumstance.

In approving the cyber coverage program, the Benchers and ALIA’s Board recognized the importance of Subscribers having cyber coverage to protect themselves, their firms and their clients. Lawyers are attractive targets to cybercriminals due to the sensitive, confidential client information stored in the computer systems they use. Cybercriminals seek to extort or steal this information through ransomware and other malware. Cyberattacks can cripple computer systems and block access to files and information, interrupting professional services and exposing client information to criminals. Attempted attacks against Subscribers and their law firms are regularly reported to ALIA, some of which are successful and none of which are covered by the ALIA Group Policy. Every other province except Quebec has implemented some form of mandatory cyber coverage.

ALIA’s research shows that, despite their support for it, many Subscribers tend not to purchase cyber coverage. Cyber insurance can be difficult to purchase, as many sole practitioners and smaller law firms find it challenging to meet some insurers’ network security requirements. ALIA’s November 2021 Subscriber survey found that two-thirds of the Subscribers who responded would be interested in including cyber and/or social engineering coverage in ALIA’s indemnity program.

Without insurance, expert resources required to manage a cyber breach can be challenging to access in an emergency. The universal cyber program will ensure that all Subscribers have 24/7 access to cyber expertise to mitigate and help prevent security breaches and help restore professional services and reduce exposure to claims for client losses. It will also provide liability coverage for claims arising from cyber incidents.

ALIA selected Zurich, which was prepared to provide coverage to all Subscribers at an affordable price. ALIA would not have been able to offer universal coverage without including all Subscribers in the program.

No. The coverage is universal for all Subscribers. ALIA selected Zurich, which was prepared to provide coverage to all Subscribers at an affordable price. ALIA would not have been able to offer universal coverage without including all Subscribers in the program.

Cybercriminals continue to become more sophisticated in their tactics to obtain critical data from businesses. Firewalls and antivirus software are no longer enough to protect the networks of Subscribers and their law firms. Under the universal cyber coverage program, Subscribers and their law firms will have access to the critical breach response resources required to manage a cyberattack. Services such as IT forensics and cyber extortion experts are often difficult to obtain without having access to cyber insurance vendors.

Cyberattacks are complex and rapidly evolving, and cyber claims require special expertise. As such, ALIA felt that a commercial insurer would provide Subscribers with the knowledge required to help them manage a cyber breach.

After many months of research, ALIA, assisted by Aon, selected Zurich to provide this coverage. Zurich is one of the top insurers in Canada for cyber risk, and it currently underwrites cyber programs and provides 24/7 claims service. In addition, Zurich agreed to accept all Subscribers into the program without going through an onerous application process.

The cyber coverage program is universal to ensure that all ALIA Subscribers and their law firms have a basic level of coverage. ALIA indemnifies individual Subscribers who are required to pay the annual levy by the Rules of the Law Society of Alberta. As such, each Subscriber who is required to pay the Part A levy is also required to pay the cyber coverage levy (Part C).

Cyber coverage limits are based on the law firm because cyberattacks typically impact the firm’s entire network. Furthermore, it can be challenging to determine which Subscriber or employee of the firm may have initiated the cyber breach. It would be challenging to tie the coverage back to one individual Subscriber or employee of a law firm, which is also why claims will not be surcharged. Furthermore, if a law firm experiences a cyberattack, they are at risk of being attacked again, which is why cyber policies contain specific limits applicable to the law firm. As such, every law firm, regardless of size, should be taking steps to implement appropriate cyber hygiene to reduce further incidents.

The ALIA website is the best source for information about all aspects of the indemnity program, including information on the universal cyber coverage program. However, for coverage questions, including extended reporting period information, please contact Aon at ALIAcyber@aon.ca.

Tips on Cyber Hygiene Best Practices to Prevent Cyberattacks

Tips on Preventing Social Engineering Fraud