Paragon Blog


Cyber insurance market update…..and six top tips

Posted by | News | No Comments

Cyber-attacks are never out of the press these days. And whilst these stories were previously confined to the insurance or IT publications, the mainstream media now heavily report these matters as more and more companies find themselves the target of hackers. The coronavirus pandemic has also brought an increase in the frequency and severity of ransom demands, as well as further dislocation in the cyber insurance market.


  • Increased number of hackers and a heightened sophistication of hackers operating, including “hacking as a service” whereby those with the knowledge and means to do so “sell” their services to clients.
  • The increase in successful ransom attacks encourages the hackers to launch further attacks and be bolder with their targets.
  • The pandemic has exponentially increased the number of individuals working remotely. This significantly increases a networks “surface” and potential vulnerabilities in the network.
  • Significant volumes of emails flowing in and out of any organization will create an increased vulnerability of an attack. Sectors who rely heavily on email to conduct business (e.g. law firms) are at an even greater risk of attack.
  • For some businesses, the need and desire to quickly establish remote working capabilities for their staff in Q1 2020 may have come at the cost of network security.


  • The “spray and pray” tactics of yesteryear did not differentiate their targets. A hacker would attack as many targets as possible, hoping someone would “bite”. Ransom demands were small ($5,000-$10,000) and the same for all targets.
  • Hackers now operate in a far more targeted way – they know who they are attacking, their financial means and (in one case we are aware of) the limit of their cyber insurance policy (the hacker was able to view the insured’s cyber policy details before bringing their network down).
  • It is no longer just about the data that an organization is holding, but also about their reliance on their network to do business. Historically we have seen many ransom attacks purely encrypting the network and providing the decryption keys once their demands are met. Now a new trend has emerged where hackers will look to exfiltrate the data as well as encrypt the network – threatening to post this data on the dark web if the ransom demand is not met. So, if your business is reliant on data or an IT network, or in many cases both, you are of interest to cyber hackers.
  • We understand the largest ransom demand paid by insurers is circa $40 million. We have seen ransom demands against our own clients running into the millions of dollars and this does not take into account the additional first party expenses, business interruption costs and extra expenses that are incurred during and post the ransom event.

What can firms do to protect themselves? There is no such thing as 100% secure when it comes to cyber security. The recent SolarWinds & Microsoft Exchange Server breaches demonstrates that a well-resourced hacker can hack any system, including the US government. However, there are some core cyber risk management tools that every organization should consider.

  1. Email controls & security – first line of defense against ransomware events. Use of an email filtering gateway, DKIM, SPF and DMARC will reduce (but not eliminate) the threat posed hackers.
  2. Multi-Factor Authentication (MFA), especially for all remote access, critical applications, back-ups and privileged accounts.
  3. Utilize an endpoint detection and response tool – in the current environment, endpoint protection alone is no longer good enough. Insurers will want to see firms use endpoint detection and response tools before offering terms.
  4. Secure back-ups – increasingly back-ups are also encrypted by the hackers. Secure back-ups are essential – segregated from the network, offline, backed up on to tapes, access via MFA. And test the back-ups frequently.
  5. Training – one of the weak links in most companies’ defense to hackers is their people. So, train and test all people with connectivity to the network in information security awareness, especially phishing threats running regular phishing campaigns. Share results. Give feedback. And continue to train/educate your people.
  6. Maintain good cyber security hygiene – no unsupported software/systems within the network, regular patching, monitoring and logging of access and suspicious activity, have separate credentials for privileged access, limit local administration rights access and employ a strong password policy, with an enhanced version for employees with administration rights.

When it comes to cyber insurance, subject to the terms and conditions of your policy, the ransom payment can be covered. More importantly, the IT/forensics vendor and specialized extortion vendor, in some cases, that comes with the policy will be able to provide support to the firm. They can:

  • Make efforts to assess whether the extortionist has access to what they say they do.
  • Make efforts to assess backups (or other control) in place to understand if the affected network can be restored via backups with minimal disruption to the business, thus not having to pay the ransom.
  • Communicate with the extortionist to try to negotiate the demand down and to determine whether the decryption key is likely to work – vendors often deal with the same hacking group on a daily basis, so become acquainted with their tactics.
  • Make efforts to determine whether the payment is being sent to a sanctioned territory or actor, a requirement under OFAC.
  • Make the payment of the final negotiated demand via cryptocurrency to preserve the firm’s anonymity in the event it was not a targeted attack. The vendor typically has access to cryptocurrency accounts which can help get payment made quickly (these events have very short fuses).

The cyber market is hardening at rapid pace. However, for risks that can demonstrate strong cyber security controls there is still a lot of capacity available, albeit at increased rates (20-50%) and sometimes increased retentions. If firms cannot demonstrate strong controls then a combination of higher premium, increased retentions, sub limits, no ransomware cover, lower capacity offered and, in some cases, declinations from insurers (renewal and new markets) should be expected. Paragon has a team of expert cyber insurance professionals who can help insureds through the renewal process and obtain the best terms and coverage available from the market.


James Noon

Senior Vice President

E: D:  +44 (0)207 280 8242

M: +44 (0)771 867 0599

SRA Risk Outlook

Posted by | Article, Blog, Latest News, News | No Comments

In continued partnership with Paragon, Weightmans’ Compli team – who provide bespoke risk management and compliance consultancy services – have produced a paper discussing some of the key areas of focus for the SRA in 2021.

Those of you who attended the SRA’s (virtual) annual COLP and COFA conference have heard the SRA discuss a number of topics including anti-money laundering compliance, cybercrime, innovation and technology, accounts rules and dubious investment schemes, to name just a few. If you missed any of the talks, they can be found on the SRA’s website.
It’s perhaps no surprise that a number of these topics are included in the SRA’s latest 2020/2021 Risk Outlook, published just a couple of days before the annual conference.
The key focus areas for the SRA (and therefore for you also) for 2021 include:

♣ Anti-money laundering
♣ Client money
♣ Diversity
♣ Information and cyber security
♣ Integrity and ethics
♣ Meeting legal needs
♣ Standards of service

Summarising each of these (which is no replacement for reading the Outlook in full):

SRA Risk Outlook

The key focus areas for the SRA (and therefore for you also) for 2021 include:

Anti-money laundering

The SRA has identified some new anti-money laundering risks arising from the economic and COVID-19 uncertainties, in particular, the surge in instructions during the Stamp Duty Land Tax holiday period, the change from face to face to on-line identification/verification procedures and warns firms to be on high alert for vendor fraud, which is increasing. It also identifies a heightened risk if firms have made money laundering compliance roles redundant and warns those firms who are exploring new areas of work, which might make them more vulnerable to exploitation or those who might consider taking on work they would not otherwise accept in order to maintain their business.
The SRA will be continuing their review of firms’ compliance with the Money Laundering Regulations 2017 in 2021 to check that firms have the right controls in place to mitigate the risk of money laundering including the need to independently audit these controls and procedures. Audit is an area that many firms seem to have neglected, or misunderstood the need for independence. The Legal Sector Affinity Group published its updated anti-money laundering guidance on 20 January 2021 and the SRA Sectoral Risk Assessment was published on 28 January. If your firm comes within the AML regulations, (and more will now do so following the widening of the definition of ‘tax adviser’) you will need to read the documents, review your firm wide risk assessment and update, where relevant, your AML policies and procedures.

One of our takeaways from the conference was the SRA’s confirmation in the anti-money laundering practical tips webinar, that firms can charge clients for client due diligence electronic searches (provided they are clear and transparent). We have always been of the view that there was nothing wrong with charging for such important risk mitigation steps and it is pleasing that the SRA now appears to have done a U-turn on this.

Client money

Again, the SRA has highlighted that economic uncertainties have increased financial problems for the public and firms, which in turn heightens the risk to client money. It reminds firms that dishonesty and misuse of client money will be dealt with the utmost severity (only last month a solicitor who caused a £885k client account shortfall by using client money to pay his own office fees was struck off). It also provides links to its warning notices and guidance on issues such as use of client account as a banking facility, third-party-managed accounts and taking money from client account for fees.

Diversity in the profession

2021 will see the SRA’s next diversity collection data exercise and the Risk Outlook stresses the importance of having a diverse profession. It anticipates that COVID-19 and the recession “will continue to affect many people’s opportunities to enter and progress in the profession” and “pay gaps, and the stay gap, might widen if firms do not take appropriate action”.

The SRA will be monitoring individuals subject to its enforcement processes by ethnicity, gender, age and disability and will also be commissioning research to understand why there is an overrepresentation of BAME people in the concerns reported to many regulators of the professions in different sectors.
It also directs firms to its Equality, Diversity and Inclusion resources including its toolkit on sexual harassment in the workplace which lists resources to support firms in eliminating bullying and harassment. Given the recent overturning of the high-profile Solicitors Disciplinary Tribunal decision against Ryan Beckwith where the High Court found that the tribunal had been wrong to find that Beckwith had failed to act with integrity in circumstances where there had been no finding that he had taken unfair advantage, we can only hope that the SRA will carefully review its enforcement approach in relation to conduct outside of a solicitor’s professional life where no criminality is involved.

Information and cyber-security

According to the Risk Outlook, nearly £2.5m of money held by firms had been stolen by cybercriminals in the first half of 2020, which was over three times the amount reported in the first half of 2019. The increased reliance on technology due to lockdown has in turn led to a huge increase in phishing scams with ransomware also becoming more serious and, with more people likely to be working from home more regularly in the future, firms are being advised to ensure their security is up-to-date and staff are trained and know what to do in the event of an attack.

Integrity and ethics

In addition to reminding solicitors of the importance of acting with integrity at all times (and warns of the heightened risk of solicitors failing to act with integrity if placed under financial pressure due to the recession and COVID), its main focus in this section is on dubious investment schemes which it says are on the increase. Remember that if a deal seems too good to be true, then it probably is!

Meeting legal needs

Compliance with the SRA’s transparency rules is emphasised in this section of the Risk Outlook. There are still firms whose websites are non-compliant and the SRA will be taking appropriate action in 2021 where necessary.

Standards of service

Firms will need to ensure that any new procedures introduced as a result of COVID, for example how signatures are witnessed or how new clients are identified and verified, are implemented correctly to ensure that the high professional standards expected are met. Diversification of services without having suitably experienced solicitors dealing with the new practice area, reduced staff numbers due to furlough/redundancies, supervision difficulties as a result of working from home and staff being under stress are all risks which firms need to be alert to in 2021. The Risk Outlook also includes a spotlight on the personal injury sector and managing volume claims which all firms involved in these types of claims should review carefully.

Other issues to keep an eye on in 2021:

♣ The introduction of the SQE in the Autumn
♣ Financial stability issues and the importance of effecting an orderly closure if necessary
♣ Professional indemnity insurance renewals – we will remain in a hard market at least for the April 2021 renewal so firms due to renew then should already be looking to address this as early as possible and be in a position to present your firm to insurers in the best possible way
♣ Compliance resource – the SRA has seen during the pandemic that some compliance officers have increased the time they spend on fee earning rather than compliance tasks and has stressed that this must not lead to issues and firms must maintain compliance and keep their systems and controls in check. If you are one of these firms, now is the time to consider outsourcing so do get in touch if you need more support in this area.

This article has been written by Michelle Garlick of Weightmans LLP’s Manchester Office. If you have any questions about Paragon, Weightmans, Compli and their services or the above article please do not hesitate to get in touch.

Martin MacHale
T  +44 (0)20 7280 8209
M  +44 (0)7854 314 344

Ryan Senior
T  +44 (0)20 7280 8254
M  +44 (0)7827 575 652

This article is published without responsibility on the part of the author or publishers for any loss occasioned by any person acting or refraining from action as a result of any views expressed in the article. Specific risk management advice requires detailed knowledge and analysis of firm and practice area facts relating to the risk. The information included in this article cannot and does not attempt to satisfy this requirement for any of its readers.

Essential steps for successful change management

Posted by | Article, Blog, Latest News, News | No Comments

The new year has brought with it continued challenges. The UK continues to operate within strict lockdown restrictions and, for the time being, uncertainty remains as to when non-essential businesses will be able to ‘return to normal’. Remote working is increasingly commonplace, and personnel are encouraged to work from home wherever possible. Law firms and other businesses providing valuable professional services will need to consider how to service their clients remotely, implement innovation within their firms to cope with process changes, and maintain compliance with regulatory requirements.

Nonetheless, regardless of world pandemics causing disruption, change is constant, and the need to evolve as a business will make the difference between profit and loss. Change can be voluntary or forced, arising from any aspect of your firm’s activities, including financial, regulatory, statute-led, technological or operational.

It is a fact that a business unprepared to change will soon fall behind its competitors as others strive to evolve. Those businesses who genuinely want to embrace change must ensure that they approach it correctly. Often the most significant barrier to change is not the owners’ or managers’ willingness but the staff. Your ability to obtain buy-in from staff will significantly influence the success or failure of any change.

Negative perceptions can be associated with discussions about change – e.g. the business has hit troubled times financially and needs to reduce expenses or technological advancement results in necessary job losses.

However, change can, and often is, positive; growth due to a business doing well, moving into new sectors, additional recruitment due to new clients coming on board, or even moving to bigger and better premises.

Nevertheless, even a positive reason for driving change can be a disruptive influence if poorly managed.

Rather than focusing on the operational or financial needs of a business, in this article, I want to discuss the impact on staff and how to address the challenges they can pose during an uncertain time for them. Employees are a significant factor in any change management programme; your plan will be destined to fail without them on board.

The Challenge

Working with businesses to assist in managing change, we often find that the need to change has been recognised and discussed by the firm’s Partners/Directors. On the other hand, the staff might not have been involved and just expected to adapt willingly.

It can be frustrating when a business has positive reasons for the change but encounters resistance from some within the organisation who believe they will personally feel the impact. In turn, this can lead to negativity setting in.

In our experience, some key steps are vital to the successful implementation of change. Every business or consultancy will have an approach which they feel works, but every strategy must put the staff at the heart of the change management programme or risk dealing with the fallout if they resist.

Change arises for a variety of reasons. Responding quickly and effectively is key to any successful business. Often, change is not a simple desire to improve profits; it comes from a shift in the law or regulation, or simply because the old way of working is out of date. Technological developments are continually arriving in all sectors, and failure to embrace this puts a business at risk.

  • Consult – Once the need is recognised, you must consult with your staff. They will probably be aware that changes are needed. Whether industry news is covering a shift in the market or rumours have started within the organisation, they will have an idea that something is about to or has to change. The sooner a business can talk to its staff, the quicker the ‘buy-in’ will start. Whatever the reason for the need to change, whether positive or negative, most will respect the owners for taking action, but they will respect them more for discussing the need for change directly with them and what impact it will have on them. The business’ size will dictate who needs to be consulted – is it everyone, or nominees selected to represent a group? It might also be sensible to involve some individuals who might not be directly affected to ensure balanced views are obtained.
  • Identify – Talking with the staff will help identify their concerns. You may not be able to stop the change from coming, but its impact can be fully appreciated once the problems of those affected are identified and where possible addressed. Once the staff has established that you are taking their views into account, the buy-in will come much faster.
  • Understand – Take time to understand the concerns and how any changes might impact. If you accept any of the points identified as causing anxiety, you can respond to them. Not every issue can be overcome, but you can help staff understand by explaining the reason for the change and why some of the issues they raise might be understandable but cannot be overcome.
  • Adapt – Where you can adapt, do so. Listen to the staff’s ideas and suggestions, and be prepared to change your own views and plans for implementing change. The staff are often much closer to the service delivery (and therefore the clients) than the owners or managers, so their views will have value.
  • Plan – Having taken into account the thoughts and views of all and established a clear path, change needs to be carefully planned before any execution. Knowing what to do is often the easiest part of the task. Exactly how the plan will be followed through and the results will be monitored is vitally important. Where there is an impact on jobs, particularly job losses, ensure your message is clear and consistent so that you do not lose key people through a period of uncertainty. Be aware of the timings that the business needs to achieve the change and plan your change process to meet the business’ needs. Do not rush a change management programme or be too eager to get it in place too quickly. Ensure your plan is clear, and those involved are aware of the time frame for delivery. Make sure you set key milestones to measure the progress.
  • Finalise – When the consulting and planning stages are complete, and change is about to be implemented, take stock of where you have arrived and the information gathered along the journey. This will be the last time to make adjustments before implementation. Gather your key team to review what you initially set out to achieve and if any final adjustments need to be made to achieve the ultimate goal.
  • Implement – If you have gone through the preparation stages correctly, the implementation stage should be the easiest part. You will be aware of what change is coming, as will all of those involved in the process and the staff. Communication is critical here as you push the change into the business, but this will ensure you have the maximum chance of achieving your goals.
  • Monitor – Once you have implemented the change, ensure that you revisit your goals and objectives to ensure you are achieving what you set out to. Not all changes will achieve the desired results, and most changes will need adapting as time progresses, but that will not happen if you do not set new targets and objectives.

The challenge for business owners is to identify the need to change and take action to implement that change successfully. The immediate impact of change is highly likely to affect staff and recognising their issues and concerns is vital to a successful change management programme.

The Process

  • Recognise – The first step to change is always recognising the need. That should be obvious if you understand your business, have set financial and operational goals, and have monitored performance. Watching how your business performs against realistic plans will provide the first diagnostic indicators that change is needed. However, change is often thrust upon a business, for example, due to regulation or statute. Still, there is always enough time to affect a change management programme as long as the need is recognised and responded to as it arises.

The Result

  • The change’s impact will not always be a positive experience for everyone, regardless of the starting point and drivers. However, for change to be successful, it must be well thought out, discussed, and implemented with a clear strategy and goal.
  • Change does not stop when the business has delivered its new way of working. Ongoing monitoring is essential; have targets been hit and goals met? If not, why not? Managers should be asking, “Do we need to change more?”
  • Change has to work, as failure could mean losses and losses could mean the end of a business (eventually).

David Green, co-founder of The Strategic Partner, and preferred risk management consultant of Paragon, has authored this article.  If you have any questions raised by the content of this article, Paragon, The Strategic Partner or the firm’s approach to risk management more generally, please get in touch using the details below.

CONTACT US – For more information about Paragon, our tailored indemnity solutions and specialist risk management services, please contact:

Martin MacHale

T  +44 (0)20 7280 8209M  +44 (0)7854 314 344

Ryan Senior

T  +44 (0)20 7280 8254M  +44 (0)7827 575 652

This article is published without responsibility on the part of the author or publishers for any loss occasioned by any person acting or refraining from action as a result of any views expressed in the article. Specific risk management advice requires detailed knowledge and analysis of firm and practice area facts relating to the risk. The information included in this article cannot and does not attempt to satisfy this requirement for any of its readers.



Copyright ©2021 Paragon International Insurance Brokers Ltd is authorised and regulated by the Financial Conduct Authority.Registered in England & Wales, Company No: 03215272. VAT Registration No: 685151130
Paragon Brokers (Bermuda) Ltd is authorised & regulated by the Bermuda Monetary Authority.Registered in Bermuda, Company No: 33838.