Universal Cyber Coverage Program - ALIA

Jump to: Cyber Coverage FAQs Cyber Claim FAQs Cyber Hygiene Best Practices Social Engineering Tips

Commencing December 31, 2022, Alberta Lawyers Indemnity Association (“ALIA”) implemented universal cyber coverage for all lawyers who participate in ALIA’s mandatory indemnity program (“Subscribers”).

The cyber coverage policy was extended from December 31, 2023, to July 1, 2024, to essentially align the cyber coverage policy period with that of the Group Policy. ALIA’s expectation is that cyber coverage will continue each year indefinitely, with its annual premium payments aligned with the Group Policy levies (i.e., due on or before June 30 for the 12-month policy period commencing July 1 each year).

The cyber coverage program—provided by a global insurer and administered by ALIA—is designed to protect Subscribers, their law firms and, by extension, their clients by giving Subscribers and their law firms quick access to critical resources needed to respond to cyberattacks. It also covers claims for data and security breaches and regulatory proceedings brought against Subscribers and their law firms.

Subscribers and their law firms do not need to submit individual insurance applications or go through an (often onerous) application process to receive this coverage. The coverage is provided seamlessly and automatically to all Subscribers and their law firms. The annual Universal Cyber Coverage Premium is included in the annual levy invoice, and the premium amount is announced in the annual ALIAdvisory levy announcement.

In initially approving the Universal Cyber Coverage Program, the Law Society of Alberta Benchers and ALIA’s Board recognized the importance of universal cyber coverage to protect Subscribers, their law firms and, by extension, their clients. Lawyers are attractive targets to cybercriminals due to the sensitive, confidential client information stored in the computer systems they use. Cybercriminals seek to extort or steal this information through ransomware and other malware. Cyberattacks can cripple computer systems and block access to files and information, interrupting professional services and exposing client information to criminals. Attempted attacks—some of which are successful—against Subscribers and their law firms are reported to ALIA regularly, but these types of claims are not covered by the ALIA Group Policy. Every province except Quebec has implemented some form of mandatory cyber coverage.

Universal cyber coverage ensures that all Subscribers have access to the critical breach response resources required to manage a cyberattack. Without insurance, expert resources needed to manage a cyber breach can be difficult to locate in an emergency. The cyber program provides all Subscribers with 24/7 access to cyber expertise in the event of a security breach to help restore professional services and reduce exposure to claims for client losses.

Universal cyber coverage also provides liability coverage for claims arising from cyber incidents, subject to the limits set out in each Subscriber’s Cyber Coverage Certificate, which is available in the Law Society of Alberta’s Lawyer Portal. The coverage includes first-party coverage for breach response costs, data recovery costs, and cyber extortion, and third-party coverage for claims against Subscribers or their law firms for data or security breach.

After many months of research, ALIA, assisted by its broker, Aon Reed Stenhouse Inc. (“Aon”), selected Beazley Canada Limited (“Beazley”) to provide the Universal Cyber Coverage Program (the “Beazley Policy”) effective July 1, 2024. Although there were no concerns with the previous insurer, Zurich Insurance Company Ltd. (“Zurich”), ALIA works to ensure that its Subscribers continue to receive the best value for their premiums/levies, and the increased coverage provided by Beazley merited the switch in insurers.

Beazley is one of the top insurers in Canada for cyber risk and currently underwrites cyber programs and provides 24/7 claims service. In addition, Beazley agreed to accept all Subscribers into the program without requiring an onerous application process, meaning all Subscribers and their law firms continue to have coverage.

Previous Cyber Coverage Certificates (i.e., certificates for the period December 31, 2022, to 12:01 a.m. on July 1, 2024) refer to the Zurich cyber policy (the “Zurich Policy”). Claims made up to 12:01 a.m. on July 1, 2024, should be reported under the Zurich Policy. Notices of claims must be provided as soon as possible and in no event later than 60 days after the end of the policy period. Claims of which Subscribers become aware during the period December 31, 2022, to 12:01 a.m. on July 1, 2024, and are not reported within this timeframe will not be covered by the Zurich Policy or the Beazley Policy. Cyber Coverage Certificates for the Zurich Policy are available in the Law Society of Alberta’s Lawyer Portal. For further information on the Zurich Policy, including a copy of the policy and the claims reporting protocol, please contact ALIAcyber@aon.ca.

If Subscribers are uncertain as to which policy to report matters under, they can reach out to ALIAcyber@aon.ca with a request for additional support.

ALIA intends to continue the cyber program indefinitely. That said, pricing and availability of future policies will depend on the program’s loss history and the cyber coverage market. ALIA endeavours to deliver a high-quality indemnity program in which Subscribers have access to appropriate coverage at a reasonable price while continuing to keep the levy as low as reasonably possible. While the cyber coverage modestly increases the total amount payable by each Subscriber annually, it ensures that all Subscribers have cyber coverage and access to critical resources needed to manage a cyber breach.

Subscribers play an essential role in the continuing success of the Universal Cyber Coverage Program by ensuring they practice good “cyber hygiene” to reduce or eliminate cyberattacks. Practicing cyber hygiene includes implementing network security controls to improve online security to mitigate cyber breaches and conducting cyber security awareness training.

The cyber coverage program includes access to regular cyber security seminars that ALIA will host with experts from Aon and Beazley. Topics will include education on best practices to protect Subscribers and their law firms from cyberattacks.

All Subscribers should read the Cyber Coverage FAQs to understand what the Universal Cyber Coverage Program does and does not include. Subscribers should also review the Beazley Policy coverage and limits, which information is available to Subscribers through the Law Society of Alberta’s Lawyer Portal. Please note that some coverages set out in the text of the Beazley Policy are inapplicable. Subscribers should refer to their Cyber Coverage Certificate available in the Law Society of Alberta’s Lawyer Portal for a listing of the coverages provided under the Beazley Policy.

Cyber Coverage FAQs

Please review the FAQs below for more information on the Universal Cyber Coverage Program.

The Universal Cyber Coverage Premium for the July 1, 2024, to July 1, 2025, policy period, the payment of which is the responsibility of each Subscriber, remains the same as last year: $265 per Subscriber.

The Universal Cyber Coverage Premium for 2024-2025 is included in the annual levy invoice available online through the Law Society of Alberta’s Lawyer Portal and must also be paid on or before June 30, 2024.

Subscribers who are required to pay the Professional Liability / Negligence levy are also required to pay the Universal Cyber Coverage Premium. As such, the Subscriber and their law firm will be covered under the Universal Cyber Coverage Program (the “Beazley Policy”) automatically.

Subscribers can download a Cyber Coverage Certificate from the Law Society of Alberta’s Lawyer Portal. Certificates for the policy year commencing on July 1 in each year are available shortly after the policy year commences. Certificates for previous policy periods are also available.

Effective December 31, 2022, to July 1, 2024, the universal cyber coverage policy was provided by Zurich Insurance Company Ltd. (“Zurich”). Effective July 1, 2024, universal cyber coverage is provided by Beazley Canada Limited (“Beazley”) through their cyber policy (the “Beazley Policy”). It is expected the Beazley Policy will run annually each year from July 1 to July 1.

Claims of which Subscribers become aware during the period December 31, 2022, to 12:01 a.m. on July 1, 2024, should be reported to Zurich pursuant to the Cyber Coverage Certificate for Zurich’s cyber policy (the “Zurich Policy”). Notices of claims must be provided as soon as possible and in no event later than 60 days after the end of the policy period. Claims of which Subscribers become aware during the period December 31, 2022, to 12:01 a.m. on July 1, 2024, and are not reported within this timeframe will not be covered by the Zurich Policy or the Beazley Policy.

Claims of which Subscribers become aware from and after 12:01 a.m. on July 1, 2024, should be reported to Beazley pursuant to the Cyber Coverage Certificate for the Beazley Policy.

Cyber Coverage Certificates for each period are available in the Law Society of Alberta’s Lawyer Portal.

If a Subscriber is suspended, they will not have coverage. If there are other Subscribers at the law firm who have paid the levy, they should report the claim.

ALIA recommends that all Subscribers and their law firms practice good cyber hygiene, such as implementing critical network security controls and training staff to protect themselves and their law firm from a cyberattack. Information on cyber hygiene can be found here.

Please familiarize yourself with the Beazley Policy coverage, limits and exclusions. Descriptions of coverage are found in the FAQs; however, Subscribers and their law firms should review the Beazley Policy in full. The Beazley Policy and its limits can be viewed in the Law Society of Alberta’s Lawyer Portal.

Cyber policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

Effective July 1, 2024, the previous insurer, Zurich, was replaced with Beazley. After many months of research, ALIA, assisted by Aon, selected Beazley to provide this coverage. Although there were no concerns with the service provided by Zurich, ALIA works to ensure that its Subscribers continue to receive the best value for their premiums / levies, and the increased coverage provided by Beazley merited the switch in insurers. Subscribers do not have to take any action for the switch in coverage to take place on July 1, 2024.

Like Zurich, Beazley is one of the top insurers in Canada for cyber risk and currently underwrites cyber programs and provides 24/7 claims service. In addition, Beazley agreed to enhance the program’s coverage and limits while accepting all Subscribers into the program without going through an onerous application process.

Subscribers should download a new certificate of insurance for the new policy period. This can be downloaded from the Law Society of Alberta’s Lawyer Portal shortly after the policy year commences.

The Beazley Policy commences immediately after the Zurich Policy expires, providing Subscribers with continuous coverage. The Beazley Policy provides enhanced coverage and limits.

The Beazley Policy and its limits can be viewed in the Law Society of Alberta’s Lawyer Portal.

Claims will need to be reported to either Zurich or Beazley, depending on when the Subscriber first became aware of the claim. Refer to the Cyber Claim Information FAQs for further information.

Subscribers who are indemnified for their private practice work will have cyber coverage for that work. However, if a Subscriber is also working in an in-house role, that work is exempt from the indemnity program and would also be exempt from the Universal Cyber Coverage Program; no cyber coverage is available through ALIA for the in-house work.

The Beazley Policy covers ALIA Subscribers and their Alberta law firm locations if there is no other cyber coverage in place. If there is other cyber coverage in place, the Beazley Policy acts as excess coverage.

If there is no other coverage available and the Alberta location suffers a covered loss, then the Alberta location will have coverage. If office locations outside Alberta are also impacted, then coverage for those locations will depend on the IT infrastructure set-up. Subscribers and law firms should report claims to Beazley as soon as they are aware of a breach so that a coverage determination can be made.

ALIA also recommends that Subscribers and their law firms review the Beazley Policy in full, including the “Other Insurance” section. The Beazley Policy can be viewed in the Law Society of Alberta’s Lawyer Portal.

Cyber policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

Limits

The Beazley Policy and the policy limits are available to Subscribers in the Law Society of Alberta’s Lawyer Portal.

The limits are per law firm per policy year.

Universal cyber coverage ensures that all Subscribers have access to 24/7 claims advice and the expertise critical to managing a cyber breach, such as computer experts and legal advice, as well as financial risk transfer subject to the limits set out in the Cyber Coverage Certificate.

Cyber policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

Description of Beazley Coverage

First-party cyber coverage covers the costs for a Subscriber or their law firm to respond to a data or security breach, such as a data or security breach caused by a ransomware attack. Generally, when faced with a ransomware attack, a Subscriber or their law firm will require legal and IT advice. First-party coverage provides Subscribers with access to these experts. If a Subscriber or law firm has a claim, it should be reported to the insurer immediately. Please refer to the FAQ titled “How do Subscribers and their law firms report cyber claims?”.

Breach Response Costs

Reimburses the costs* to respond to a data or security breach. Covered fees and costs include expenses of computer security experts to investigate the security system to determine the cause and extent of a data or security incident, legal expense costs, public relations and crisis management costs, consumer notification and consumer credit monitoring services.

*Costs are for expenses incurred from third-party vendors from Beazley’s vendor panel (e.g., computer security experts, a lawyer acting as a breach coach, a public relations firm) and do not include internal law firm costs (e.g., wages of internal employees to deal with the breach).

Cyber Extortion Loss

Reimbursement for expenses incurred in preventing or terminating an extortion threat and any payments made to prevent or respond to an extortion threat.

Data Recovery Costs

Reimbursement of costs, incurred as a result of a security breach, to regain access to, replace, or restore data, or if it cannot reasonably be accessed, replaced or restored, costs to reach this determination.

Inapplicable Coverages

While the Beazley Policy may refer to third-party coverages other than those summarized above, only the coverages listed in the Cyber Coverage Certificate for the Beazley Policy are provided. The applicable coverages listed in the certificate are Breach Response Costs, Cyber Extortion Loss, Data Recovery Costs, Data & Network Liability and Regulatory Defence & Penalties. Please see the FAQ titled “What coverage is not provided by the Universal Cyber Coverage Program?”.

Any summary of the Beazley Policy contained above is provided for general information purposes only and not as legal advice and is qualified in its entirety to the terms and conditions of the Beazley Policy. Subscribers should review the Beazley Policy, available in the Law Society of Alberta’s Lawyer Portal, to confirm their obligations and coverage in any circumstance.

Cyber policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

Limits

The Beazley Policy and the policy limits are available to Subscribers in the Law Society of Alberta’s Lawyer Portal.

The limits are per law firm per policy year. Cyber policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information

Description of Beazley Coverage

Third-party coverage, or liability coverage, is also referred to as Data & Network Liability and Regulatory Defense & Penalties. It covers legal defence costs and damages for a Subscriber’s or their law firm’s liability to clients due to a security breach or data breach, for example, liability caused by theft or disclosure of confidential information due to a computer security breach or the loss of theft of personally identifiable or confidential third-party corporate information, as well as costs and penalties of regulatory proceedings for a data or security breach.

Data & Network Liability

Liability coverage for defence costs and damages suffered by others resulting from a data breach or a security breach. A data breach includes the theft, loss, or unauthorized disclosure of personal information under privacy laws or confidential information of a third party, for which the Subscriber or their law firm is liable. A security breach includes a failure of computer security, including unauthorized access or use, denial of service attack or infection by or transmission of a computer virus.

Coverage is also provided for the insured’s failure to timely disclose a data or security breach and certain failures of an insured to comply with its own privacy policy.

Regulatory Defence & Penalties

Liability coverage for defence costs, as well as fines and penalties payable to a governmental entity and amounts paid into a consumer redress fund, in a civil regulatory proceeding for a data breach or security breach.

Inapplicable Coverages

Yes. There is a $5,000 deductible applicable to first-party coverage and third-party coverage, which the Subscriber must pay before accessing the coverage limits. Only one deductible applies if both the first-party and third-party coverages are accessed for a claim. The deductible payment does not erode the limit of available insurance; in other words, the limits apply above the deductible amount.

The Beazley Policy and the policy limits can be accessed in the Law Society of Alberta’s Lawyer Portal.

Cyber policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

eCrime, including Social Engineering

The Beazley Policy does not provide eCrime coverage, including financial losses resulting from fraudulent instruction, funds transfer fraud or telephone fraud. These unavailable coverages are, for the most part, social engineering and cybercrime coverages.

Due to the high cost and limited availability of insurers offering coverage for loss of funds due to cyberattacks and social engineering, this coverage is not included. Social engineering uses targeted, fraudulent emails and other communications to dupe a lawyer, law firm or client into performing an action. For example, a cybercriminal will send an email that appears to be coming from a client asking a law firm to redirect the transfer of funds to a different account from what was initially agreed upon. In some cases, the cybercriminal has gained access to the client’s or lawyer’s email account.

Social engineering can be prevented with low-cost, easy steps. For advice on how to avoid social engineering losses, please review the FAQ titled “What can a Subscriber or their law firm do to protect themselves from cyberattacks and social engineering?” . ALIA also publishes ALIAlerts on fraud attempts against Subscribers, including social engineering fraud, with tips on how to avoid these losses. Subscribers are urged to read these tips.

Other Inapplicable Coverages

In addition to eCrime, other kinds of cyber coverages are not provided under the Universal Cyber Coverage Program. While the Beazley Policy language may contain some or all of the following coverages (“Inapplicable Coverages”) , only the coverages listed in the Cyber Coverage Certificate for the Beazley Policy are provided. The applicable coverages listed in the Cyber Coverage Certificate for the Beazley Policy are Breach Response, Cyber Extortion Loss, Data Recovery Costs, Data & Network Liability and Regulatory Defence & Penalties.

The following coverages are the Inapplicable Coverages, which are not provided, even though the text of the Beazley Policy may contain some or all of them:

Computer Hardware Replacement

Reimbursement coverage to replace hardware unable to function due to a security breach or system failure, such as computers.

Business Interruption

Reimbursement coverage for the insured for lost income caused by a security breach or system failure and associated forensic and extra expenses.

Dependent Business Interruption

Reimbursement coverage for the insured for lost income and extra expenses caused by a security breach or system failure of a third party that the insured depends on to conduct its business.

Reputational Loss

Reimbursement coverage for the insured for the loss of net profits/losses caused by bad publicity resulting from a security event.
Payment Card Liabilities and Costs (PCI)
Coverage for any monetary amount owed by an insured, as a result of a data breach, pursuant to any agreement with a financial institution, credit/debit card company, credit/debit card processor or independent service operator enabling the insured to accept credit card, debit card, prepaid card or other payment cards for payments.

Criminal Reward

Coverage to indemnify the insured for amounts offered and paid by the insured for information that leads to the arrest and conviction of individuals who commit illegal acts relating to coverage under the policy.

Impersonation Fraud Loss

Coverage to indemnify the insured for losses of the insured’s customers, costs of the insured to provide goods or services to a third party, and other costs resulting from fraudulent electronic communications or websites designed to impersonate the insured or its products.

Media Liability

Liability coverage for certain defense costs and damages suffered by others for content-based injuries such as libel, slander, defamation, copyright infringement, trademark infringement or invasion of privacy.

Subscribers can download the Beazley Policy and view the policy limits in the Law Society of Alberta’s Lawyer Portal.

Cyber policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

If a Subscriber or their law firm wants to secure higher limits or broader coverage than that provided by the Universal Cyber Coverage Program, they should speak to their insurance broker. ALIA’s broker, Aon, can also assist Subscribers and their law firms explore purchasing excess or additional coverage and can be reached via email.

Subscribers should download a new Cyber Coverage Certificate for the new policy period. Subscribers can download a Cyber Coverage Certificate for the Beazley Policy from the Law Society of Alberta’s Lawyer Portal. Cyber Coverage Certificates for the policy year commencing on July 1 of each year are available shortly after the policy year commences. Certificates for previous periods are also available.

The certificate refers to the Subscriber’s law firm as listed in the Law Society of Alberta’s records when the certificate is downloaded. Subscribers should review their certificates to ensure their law firm is current. If a Subscriber moves to another firm, they should download a new certificate with up-to-date firm information. If your certificate does not refer to your current firm, please contact ALIA for assistance.

If a Subscriber or their law firm suffers a cyberattack and cannot obtain a certificate (e.g., they cannot access the Law Society of Alberta’s Lawyer Portal and do not have a physical certificate on hand), they should contact ALIA for assistance.

ALIA recommends that Subscribers and their law firms retain their certificates for each policy period of the Beazley Policy, as well as a copy of the Beazley Policy. Beazley will request certificates from Subscribers and law firms as part of the claims process.

If a Subscriber or their law firm has existing cyber coverage, ALIA recommends discussing whether it makes sense to cancel the coverage with their insurance broker. The existing policy could have broader coverage or higher limits than the coverage provided by the Universal Cyber Coverage Program with Beazley.

The Beazley Policy acts as excess coverage if the Subscriber or their law firm has other cyber coverage. However, there are some exceptions to this where the Beazley Policy will act as primary coverage (e.g., respond to the loss first). This includes if the Subscriber’s or their law firm’s policy was purchased as excess coverage or if they have some element of cyber coverage in a commercial general liability or property policy.

ALIA recommends that Subscribers and their law firms review the entire Beazley Policy, including the “Other Insurance” section, with their insurance broker.

The Beazley Policy and the policy limits can be accessed in the Law Society of Alberta’s Lawyer Portal.

Cyber policy information is stored in the Law Society of Alberta’s Lawyer Portal to protect it from cybercriminals who search for this information.

If ALIA cancels or does not renew the Beazley Policy, notices of claims must be provided as soon as practicable and in no event later than 60 days after the end of the policy period or the end of an optional extension period. For breach response costs and data recovery costs, notices of data breaches and security breaches must be provided as soon as practicable (with a 60-day extension being provided in certain limited circumstances for data recovery costs).

If the Beazley Policy terminates, ALIA may purchase an optional extension period at the program level, and Subscribers and their law firms may purchase an optional extension period for themselves. If a Subscriber or their law firm wants to purchase an extended reporting period, they can contact Aon for information.

If a Subscriber changes their Law Society of Alberta membership status, coverage ceases and similar extensions may be available. ALIA recommends that Subscribers and their law firms contact Aon for advice on coverage implications where firms may no longer carry on business or where Subscribers change their Law Society of Alberta membership status.

If the Beazley Policy is not renewed, ALIA is not obligated to Subscribers to purchase an extended reporting period.

In approving the Universal Cyber Coverage Program in 2022, the Benchers and ALIA’s Board recognized the importance of Subscribers having cyber coverage to protect themselves, their firms and, by extension, their clients. Lawyers are attractive targets to cybercriminals due to the sensitive, confidential client information stored in the computer systems they use. Cybercriminals seek to extort or steal this information through ransomware and other malware. Cyberattacks can cripple computer systems and block access to files and information, interrupting professional services and exposing client information to criminals. Attempted attacks–some of which are successful–against Subscribers and their law firms are reported to ALIA regularly, but these types of claims are not covered by the ALIA Group Policy. Every province except Quebec has implemented some form of mandatory cyber coverage.

ALIA’s November 2021 Subscriber survey found that two-thirds of the Subscribers who responded would be interested in including cyber and/or social engineering coverage in ALIA’s indemnity program. Despite their support for it, ALIA’s research shows that many Subscribers tend not to purchase cyber coverage. Cyber insurance can be difficult to purchase, as many sole practitioners and smaller law firms find it challenging to meet some insurers’ network security requirements.

Without insurance, expert resources required to manage a cyber breach can be challenging to access in an emergency. The Universal Cyber Coverage Program ensures that all Subscribers have 24/7 access to cyber expertise to mitigate and help prevent security and data breaches and help restore professional services and reduce exposure to claims for client losses. It will also provide liability coverage for claims arising from cyber incidents.

No. The coverage is universal for all Subscribers. ALIA selected Beazley, which was prepared to provide coverage to all Subscribers at an affordable price . ALIA would not be able to offer universal cyber coverage without including all Subscribers in the program.

Cybercriminals continue to become more sophisticated in their tactics to obtain critical data from businesses. Firewalls and antivirus software are no longer enough to protect the networks of Subscribers and their law firms. Under the Universal Cyber Coverage Program, Subscribers and their law firms will have access to the critical breach response resources required to manage a cyberattack. Services such as IT experts and cyber extortion experts are often difficult to obtain without having access to cyber insurance vendors.

Cyberattacks are complex and rapidly evolving, and cyber claims require special expertise. As such, ALIA felt that a commercial insurer would provide Subscribers with the knowledge required to help them manage a cyber breach.

After many months of research, ALIA, assisted by Aon, selected Beazley to provide this coverage. Beazley is one of the top insurers in Canada for cyber risk, and it currently underwrites cyber programs and provides 24/7 claims service. In addition, Beazley agreed to enhance the program’s coverage from the previous insurer while accepting all Subscribers into the program without going through an onerous application process.

The cyber coverage program is universal to ensure that all ALIA Subscribers and their law firms have a basic level of coverage. ALIA indemnifies individual Subscribers who are required to pay the annual levy by the Rules of the Law Society of Alberta. As such, each Subscriber who is required to pay the Part A levy is also required to pay the cyber coverage levy.

Cyber coverage limits are based on the law firm, because cyberattacks typically impact the firm’s entire network. Furthermore, it would be challenging to determine which Subscriber or employee of the firm may have initiated the cyber breach and to tie the coverage back to one individual Subscriber or employee of a law firm, which is also why claims will not be surcharged. Finally, if a law firm experiences a cyberattack, they are at risk of being attacked again, which is why cyber policies contain specific limits applicable to the law firm. As such, every law firm, regardless of size, should be taking steps to implement appropriate cyber hygiene to reduce further incidents.

The ALIA website is the best source for information about all aspects of the indemnity program, including information on the Universal Cyber Coverage Program. However, for coverage questions, including extended reporting period information, please contact Aon at ALIAcyber@aon.ca.

Subscribers have access to educational and loss control information and services made available by Beazley from time to time and includes access to beazleybreachsolutions.com, a dedicated portal through which Subscribers can access news and information regarding breach response planning, data and network security threats, best practices in protecting data and networks, offers from third party service providers, and related information, tools and services.

Further resources are also available on ALIA’s website:

Tips on Cyber Hygiene Best Practices to Prevent Cyberattacks
Tips on Preventi ng Social Engineering Fraud

Cyber Claim FAQs

Claims occurring and known to Subscribers/law firms before 12:01 a.m. July 1, 2024

Report to Zurich

Claims of which Subscribers/law firms become aware during the period December 31, 2022, to 12:01 a.m. on July 1, 2024, should be reported to Zurich pursuant to the Cyber Coverage Certificate for the Zurich Policy. Notices of claims to Zurich must be provided as soon as possible and in no event later than 60 days after the end of the policy period. Claims of which Subscribers become aware during the period December 31, 2022, to 12:01 a.m. on July 1, 2024, and are not reported within this timeframe will not be covered by the Zurich Policy or the Beazley Policy.

Claims from and after 12:01 a.m. on July 1, 2024

Report to Beazley

Claims, and any circumstances that could reasonably be the basis for Claims, of which Subscribers/law firms become aware from and after 12:01 a.m. on July 1, 2024, should be reported to Beazley pursuant to the Cyber Coverage Certificate for the Beazley Policy.

The following outlines how reports may be made to Beazley, as set out in the Claims Reporting Protocol for the Beazley Policy, which is available in the Law Society of Alberta’s Lawyer Portal. Please note Cyber Coverage Certificates for the Zurich Policy are also available to Subscribers in the Law Society of Alberta’s Lawyer Portal for claims made up to 12:01 a.m. on July 1, 2024. For further information on the Zurich Policy, including a copy of the Zurich Policy and the claims reporting protocol for the Zurich Policy, please contact Aon at ALIAcyber@aon.ca.

For all matters, Beazley’s dedicated Beazley Breach Response Services Team will assist in responding to actual or suspected security and/or data breach incidents. The Beazley Breach Response Services Team will triage and assess the severity of the security or data breach incident and assist with coordinating the range of resources and services required for response. This contact will also serve as notice of a claim and/or incident to Beazley.

Contact information is as follows:

Notification Email: bbrcanada@beazley.com

Phone: 1.844.778.5950 – 24 Hour Hotline

Fax: 1.860.679.0247

Beazley Canada Limited
First Canadian Place, 100 King Street West
Suite 4530, P.O. Box 328
Toronto, ON M5X 1E1

What you need to report to Beazley:

Your Cyber Coverage Certificate. Certificates for a policy year commencing on July 1 in each year are available shortly after the policy year commences. If you have a claim before the certificate is available or have difficulty accessing your certificate, please contact ALIA for assistance.
The Claims Reporting Protocol, which includes the cyber program policy number. The Claims Reporting Protocol, including Beazley’s contact information and Incident Reporting Form, are available in the Law Society of Alberta’s Lawyer Portal.

ALIA recommends that Subscribers print their Cyber Coverage Certificate and the Claims Reporting Protocol—including the Incident Reporting Form—so they have this information in the event of a claim. For technical assistance with the Lawyer Portal, please contact the dedicated Law Society of Alberta technical support team between 8:00 a.m. and 4:30 p.m. Mountain Time at 403.541.4810.

If a Subscriber or their law firm has other insurance that might respond to the claim, they need to notify that insurer separately.

Click the highlighted links to access information on when to report a privacy breach or data breach to the Law Society of Alberta.

All Subscribers pay the same cyber coverage levy, which will not result in a surcharge if you have a cyber claim.

However, the claims experience of all Subscribers will impact the future renewal rate of the cyber program, and a poor claims experience could cause an increase in the Universal Cyber Coverage Premium, which will translate into a higher levy for all Subscribers. ALIA strongly recommends that Subscribers and their law firms maintain good cyber hygiene by implementing appropriate controls. Read on for a list of cyber hygiene best practices.

Subscribers should download a new certificate of insurance for the new policy period. Subscribers can download a Cyber Coverage Certificate for the Beazley Policy from the Law Society of Alberta’s Lawyer Portal. Certificates for a policy year commencing on July 1 in each year are available shortly after the policy year commences.

The Cyber Coverage Certificate refers to the Subscriber’s law firm as listed in the Law Society of Alberta’s records when the certificate is downloaded. Subscribers should review their certificates to ensure their law firm is current. If a Subscriber moves to another firm, they should download a new certificate with up-to-date firm information. If your certificate does not refer to your current firm, please contact ALIA for assistance.

If a Subscriber or their law firm suffers a cyberattack and cannot obtain a Cyber Coverage Certificate (e.g., they cannot access the Law Society of Alberta’s Lawyer Portal and do not have a physical certificate on hand), please contact ALIA for assistance.

Further resources are also available on ALIA’s website:

Tips on Cyber Hygiene Best Practices to Prevent Cyberattacks
Tips on Preventi ng Social Engineering Fraud

Cyber Hygiene Best Practices

Infographic explaining cyber hygiene suggestions

Cyber hygiene refers to the practices and steps that users of computers and other devices take to maintain system health and improve online security. Similar to the personal hygiene practices undertaken to maintain good health and well-being, cyber hygiene practices can keep data safe and well protected.

General security tips

Do not use an operating system that has been retired or is no longer supported, i.e., Windows 7 and Windows XP or macOS Mojave and Big Sur.
Regularly update the operating system and other software/applications you use. This will ensure you have the latest security associated with these programs.
Install antivirus software.
Use complex passwords, including upper case, lower case and special characters and numbers, and change them regularly. Click here to view the Government of Canada website on passwords.
Click here to read the Law Society of Alberta’s resource on password managers.
Incorporate multi-factor authentication (“MFA”) into your systems. This helps prevent ransomware attacks and other cyber threats. MFA requires two or more verification steps, such as a password and a secondary code received via email or text messaging, to access your devices or accounts. For example, you would use a password and a secondary number code from an app on your phone. Click here to view the Government of Canada website on MFA.
Back up your data regularly and store it offline or on the cloud. This will allow you to restore from your backups without losing too many days of work in the event of a cyberattack.
Conduct cyber security awareness training for everyone in your law firm (e.g., phishing training). Conduct social engineering best-practice training and implement best practices with clients.
Disable ex-employee access rights to the firm’s databases immediately upon exit.

The Government of Canada has excellent resources on getting cyber safe.

Employee awareness and cyber hygiene

Have all employees take cyber security awareness training annually (i.e., phishing training). Educate employees and end users on how to spot phishing emails and recognize the red flags to reduce clicks on malicious emails. Many ransomware attackers use scams like phishing to gain a foothold in a network. Click here to access the Government of Canada website on how to ‘Get Cyber Safe’, which includes information on phishing and the seven red flags of phishing.
Always secure laptops and confidential documents—do not leave them in cars or unattended and unsecured overnight in the office.
Limit access to confidential information to key people. Make sure secure areas really are “secure” and locked.
If an employee is to be terminated, plan in advance to block the employee’s access to prevent any deletion, alteration or theft of confidential information.

Common ways to spot and prevent phishing emails and scams

Spelling and grammar mistakes within an email.
Minimal or vague details provided about the request.
Requests for money or financial information (including an unusual or unexpected invoice or a wire transfer to a foreign country).
A link within an email that prompts your login credentials.
An unusual urgency or time-sensitive nature to the request.
A stated or implied need for secrecy (such as an instruction not to call them over the phone).
An unexpected request from a vendor or client to change their banking or payment information.
A sender’s email address that is external or contains misspellings.

How to deal with suspected phishing attempts

If you receive a suspicious email from someone you know, call or speak to the sender in person to verify that they did, in fact, send the message. If you cannot verify that the sender actually sent the message, or if the person who allegedly sent the message informs you that they did not send it, alert IT personnel or another appropriate resource immediately.

Infographic explaining actions ALIA's Subscribers can take to protect themselves from Social Engineering Losses

Subscribers should agree with their clients in advance on how changes in payment instructions will be handled.

ALIA strongly recommends that Subscribers discourage or eliminate accepting banking details or wire transfer instructions via email. Subscribers should confirm with their clients that email should not be used to communicate banking instructions or changes unless they are approved by telephone via a known number, video conference or, if possible, in person.

Changes in banking instructions should be an immediate and significant red flag.

As the Universal Cyber Coverage Program does not cover social engineering losses, Subscribers must protect themselves by verifying all changes to payment instructions by confirming the change in instructions using a different medium from which they were first received (e.g., if you receive new instructions via email, you should call your client at the phone number contained in your file to verify the payment instructions). This step can help reduce the risks posed by email hacks and cases where documents have been intercepted and manipulated.

Law firms that have implemented independent verification protocols have successfully foiled fraud attempts. For example, a quick call to verify written wire payments might save you from being a victim of fraud.

Make fighting fraud part of your law firm’s culture by continually educating yourself and training your staff about fraud risk.

Below are examples of independent internal verification in action:

A law firm partner emails from the firm address or a personal email account instructing you to wire money out of trust. You walk down the hall to the partner’s office to ask if the partner sent the instructions. You learn the partner is out of the office, and rather than replying to the email to confirm the direction, which will not help if the email account is compromised, you decide to call or text the partner.
Before wiring funds to another firm, a lawyer from Firm A emails wire instructions to a lawyer at Firm B. The lawyer or staff from Firm B calls the lawyer or staff at Firm A to confirm the wire instructions. This verification process can also apply to receiving wire instructions from a financial institution or any other request for payment by wire transfer.
Before wiring funds to a client, the client emails to instruct you to wire payments to an account. Next, you call the client at the number you have on file to verify that the client’s instructions are valid and that the client’s account has not been hacked.

ALIA regularly publishes information on social engineering scams targeting Alberta lawyers and law firms in ALIAlert email updates to its Subscribers. For more tips on how to prevent business email compromise, a form of social engineering, view the following articles: