Insurance professional Ralph Pasquariello offers a cautionary tale about one law firm that recently paid the price for cheapening out on its cyber liability insurance.
“I got called in to insure a firm here in Atlanta,” he recalls. “When I met with them over the last couple of years, they resisted my help and assessment of their coverages. Then, six months ago, they were involved with a business e-mail compromise that cost them $127,000.
“The cyber policy I would have sold them would have cost somewhere around $6,000,” said Pasquariello, cyber/data/network liability specialist and commercial liability consultant for Atlanta-based Snellings Walters Insurance. “Do the math. The loss they incurred was much more than $127,000, as they needed to pay for forensics and restoration costs.”
While that may sound like a good-sized loss, in the larger scheme of cyber losses, it’s still on the low end — and that firm’s blind spot for a major cyber-related loss is not uncommon. When it comes to purchasing adequate insurance coverage to protect them against digital-based threats, many law firms often spend far less than they should to protect themselves — and put themselves at serious risk.
This is largely due to two key factors: First, most law firms typically do not comprehend the scope of the cyber exposures they face, and second, those firms — like many businesses — possess a very limited understanding of the coverage protections available to them, what losses are covered, and how valuable Cyber insurance can be.
Cyber risks for law firms: A primer
Joshua Motta, CEO/co-founder of cyber insurer Coalition, explains that because law firms act as title agents and hold funds in escrow for their clients, if that firm gets socially engineered or its security fails, any dollar amount between the entire cost of a home to millions of dollars can be lost.
“We have seen criminal actors target law firms due to the role they play in managing large-ticket wire transfers on behalf of their clients,” said Motta. “If an attacker can gain access or social engineer their way to those funds, they can often walk away with hundreds of thousands of dollars.”
If you think only large firms are at risk, think again. Small to midsize law firms, Motta continues, “have the sort of information that criminal actors would love to have, and they’re collecting data on a scale that their size may not necessarily imply.”
One example would be a firm handling a class-action suit for multiple clients against a hospital, in which medical records are involved and held by the firm. “Regulatory fines for the loss of private health information (PHI) can be significant,” Motta stresses. “Law firms collecting this information from clients may not realize the extent to which they’ve set themselves up as aggregators of PII or PHI. That’s a unique exposure.”
One key risk that all commercial businesses are subject to is business interruption due to hacking. “Most people are under the impression that their General Liability insurance will pay for business interruption. It will under general liability risks, but not in the case of a cyber attack or malware incident,” Pasquariello notes.
Consider, he said, what the cost would be to any size firm if that business has to close its doors for two weeks or four weeks while the proper forensics are done and systems are restored to normal. “The new malware that is out there will not only encrypt your system, it will also migrate to your backup in the cloud,” he explains. “That renders a company useless.”
Likewise, a ransomware attack, in which a firm can get locked out of its computer systems, can cost a firm millions in lost business while all of its data is rendered inaccessible. “How much would you pay for an insurance policy to cover those types of damages?” Pasquariello asks.
“Law firms may also be particularly susceptible to ransomware,” said Edward Chang, second vice president, Cyber Risk Management, Bond & Specialty Insurance at Travelers. “There have been instances, for example, where cybercriminals have coerced a ransom payment by threatening to contact a firm’s clients, since law firms may be especially vulnerable to such threats.”
Cyber criminals who use ransomware are now tailoring their ransom demands based on the value of the systems and the data that have been compromised. Chang cites one case in which cyber criminals demanded millions of dollars from a midsize law firm, an amount that probably would have put the firm out of business: The insurer’s claims team was able to put the firm in touch with incident-response professionals who were familiar with the cybercrime group involved and were able to negotiate a reduced ransom demand that allowed the firm to continue operating.
“A law firm’s entire business is built on trust,” said Motta. “Any breach or loss of client data can substantially impair that trust, and even become a company-ending event.”
An Ounce of (Needed) Prevention
While it’s difficult to get people to admit it on the record, among law professionals, cyber security companies and insurers there is a prevailing sense that law firms are leaving themselves exposed. David Forrestall, CEO of cyber security firm SecurIT360, said 60% of the law firms his business has audited say they have cyber insurance — which he actually considers an improvement over recent years.
“Most of them are just checking a box,” he said, noting that more clients are asking the firms whether they “have” cyber coverage. Few firms, he notes, are taking a holistic view of their myriad risks.
Forrestall recalls one small firm he worked with that was hit with a social-engineering breach, the type in which a cyber criminal tricks an employee into giving up information like passwords or other confidential information, or coerces them into executing a wire transfer through which funds are stolen.
The firm got into a dispute with its insurer over the claim, which was caused by a phishing incident (a social-engineering breach executed via e-mail) after it found it had insufficient coverage. “They were only covered for $100,000 under a social engineering claim, but the wire transfer was much larger than that,” said Forrestall.
Cyber insurance consultant Judy Selby concurs that most law firms are underinsured. “None of it surprises me,” she said, “and none of this would be isolated to law firms. What I find in the marketplace is a lack of understanding about exposure, and what the real risk to the business is.”
Understanding What’s Covered
Uncertainty about exactly what protections are provided in a cyber policy is part of the problem. That’s not always clear to the potential client.
Ryan Schlunz, chief administrative and innovation officer at Portland, Ore.-based Stoel Rives, said he’d like to know better where his coverage might be falling short, or alternatively, whether his firm is paying for specific protections it doesn’t need.
Bob Baradaran, managing partner of Greenberg Glusker, a midsize law firm in Los Angeles, said his firm has a good understanding of its policy. Still, he adds, not having used its cyber insurance before, identifying any coverage gaps is difficult.
A law firm’s insurance needs will vary, depending on size, type of practice, and cybersecurity maturity, said Chang. “Many law firms buy limits of about $1 million, which is a nice round number, but it would be good practice for a firm buying cyber insurance to consult with a trusted, independent insurance agent or broker to determine appropriate limits and sublimits based on the firm’s specific cyber and information privacy exposures.”
At Stoel Rives, “There has been no perfect science behind exactly how we calculate the amount” of coverage the firm buys, said Schlunz. The firm’s analysis for that insurance purchase includes “what the industry is doing, what insurance brokers are suggesting, what other insurance we have that might cover losses related to a cyber threat.”
Schlunz adds that his firm has a pretty good sense of how much coverage it gets from its cyber insurance policies. Still, he said, “having not had to use cyber insurance yet, I don’t know what pitfalls we might encounter.”
“I understand and appreciate how that may add some complexity to the insurance side of it, but I wish it was a bit simpler to navigate,” he adds. “Everyone’s been learning as we go in the past 10 to 15 years.”
Cyber Coverage 101
So what exactly does a cyber policy include for a law firm?
“That’s the million-dollar question, because every cyber policy is different,” said Motta. “There is no standardized policy language. That’s why it’s important to work with a carrier that understands this risk, and whose policy will respond to all possible loss scenarios. Not all policies are created equal.”
Cyber insurance is still relatively new. As a consequence, forms and coverages are still evolving, so it’s important to review the actual policy to ensure that the coverage provided meets the needs of the insured.
Some typical first-party coverages include:
- Incident response costs: The legal fees and expenses associated with computer forensics, breach notification, and identity monitoring when a security breach occurs.
- Cyber extortion: Money (or cryptocurrency) paid as a result of threats made to destroy data, attack a computer system, or disclose electronic computer information.
- Business interruption: Loss of income and expenses to restore operations as a result of a computer system disruption caused by a virus or other computer system attack. Contingent business interruption is available to provide coverage when such a computer system disruption occurs to a third-party service provider, such as a website hosting company, rather than to the insured’s own network.
- Fraud: Loss of money or securities as a result of computer fraud, funds transfer fraud, or social engineering.
Typical third-party coverages include:
- Network and information-security liability: Coverage for claims arising from unauthorized access to data, failure to provide notification of a data breach when required by law, or transmission of a computer virus from the insured’s network.
- Communications and media liability: Coverage for claims arising from copyright infringement, defamation, libel, or slander in electronic content.
- Regulatory defense expenses: Coverage for claims by government agencies as a result of network and information security liability or communications and media liability.
More recent additional cyber protections include:
- System failure: Extends business interruption coverage to computer system disruptions caused by any unintentional or unplanned outage of a computer system, not only those caused by viruses; and
- Reputational harm: Lost profits to an insured resulting from damage to its reputation caused by a data breach.
Some policies will even cover the cost of replacing the actual computer systems impacted by malware. Not every insurer offers that protection; Coalition is one that does. Depending upon the size of your operation, it maybe wise to consult your broker or insurer to inquire about availability.
Additionally, many policies offer coverage against physical perils that may be caused by a cyber event, such as bodily damage, destruction of property, or pollution. An example would be a manufacturer that gets hacked and has its entire inventory destroyed when cooling systems are turned off remotely or sprinklers are turned on.
Who Controls the Buy?
Most large law firms will have a dedicated team that handles the purchasing decisions for Cyber coverage. Though the makeup of this team will vary from firm to firm, it will likely include attorneys well versed in data security matters.
Jena Valdetero, partner at Bryan Cave in New York, said its cyber insurance decisions are made by its general counsel’s office in conjunction with the data security and privacy lawyers who advise clients on their own cyber insurance procurement.
While Valdetero is confident in her team’s ability to get the best cyber insurance policy for the firm, she adds that there’s always some doubt when dealing with something as complex as insurance: “There is always that voice in your head that wants to make sure you absolutely caught everything you would need to catch in that policy.”
Schlunz appointed an information security officer at Stoel Rives — who does not report to him — to audit the IT department. The same person is responsible for the firm’s cyber insurance.
At Greenberg Glusker, a partner in the firm’s cyber security practice, along with a risk management committee and the firm’s chief financial officer, make the cyber-coverage decisions. “We understand it well because we are involved in providing that service for our clients,” said Baradaran. “It was a pretty routine thing for us to address internally.”
One law-firm leader who asked not to be named said the firm’s chief operating officer has handles cyber insurance decisions for six years now: “He looks at what we need and the risks of the business, and cyber insurance just makes sense.”
While such attorneys may understand cyber risk better than others, cyber consultant Selby said they aren’t really the best suited to advise on policy purchasing decisions. “I feel very strongly that a good background in privacy and cyber security is not enough to qualify somebody to provide advice about the adequacy of cyber insurance coverage,” she said. “I always advise clients to do a third-party risk assessment to get an unbiased idea of what their real risks are and where their exposures lie.”
The experts who firms really need to rely on, Selby adds, are insurance attorneys: “Cyber insurance policies may have terms, provisions, or exclusions that have been subject to legal precedent and jurisprudence for years and years and years. They are very specialized contracts and if you don’t involve an insurance expert in this process, you could be making mistakes.”
Even if law firms had a better understanding of their risk, however, some would still opt to buy cyber insurance policies that don’t fully cover their exposure; for many, it’s a matter of expense. “People are concerned that cyber insurance is going to be very expensive, so cost is always a big factor” when determining what policy to buy, said Rebecca Rakoski, managing partner at Xpan Law Group, a boutique privacy law firm in Philadelphia.
What policy a law firm buys can ultimately depend on their risk tolerance. “It’s like with health insurance coverage,” Valdetero explains. “Some entities will prefer to have very tailored coverage for their most likely scenario, which is usually going to be a small breach or a small data issue … but the impact of which overall is not going to be catastrophic.”
On the other hand, “other companies have a higher risk tolerance and feel they can absorb the cost of those small breach scenarios, so what they really want is coverage in the event of a catastrophic breach,” she adds.
Educational Opportunity for Insurers
Getting clients and prospects to understand both their exposures and how a comprehensive Cyber policy would respond are the two hurdles that insurance agents and brokers must clear when dealing with any commercial client, especially law firms. That creates an educational opportunity for all involved, particularly on the broker/insurer side.
Schlunz said brokers could help law firms understand their cyber insurance needs by providing precedent and showing examples of how a particular coverage would work. David Beveridge, senior partner at Shearman & Sterling, said he’d like to understand better how a cyber policy’s protections would intersect with professional negligence policy.
Forrestall cautions that for any business, cyber insurance is requirement, not a luxury, given the level of risk businesses face today: “Even if you do everything you can, there’s no guarantee that something’s not going to happen.”
Peace of mind, he notes, isn’t cyber insurance’s only value: Many insurers offer response training and other education and resources to their insureds to help avoid a breach in the first place.
Chang at Travelers adds that many cyber insurance policies will provide access to services that can help a company manage its cyber exposure. Examples of such services can include cyber assessments, consultation with a cyber security professional, and access to cyber security awareness training materials.
When it comes to mitigating cyber exposures for your firm, “it’s extremely difficult to achieve 100% perfection,” said Baradaran. “It’s an evolving space, and you should not rely on just insurance to protect you. I think if we step back a little bit and see how to address this problem, you need to use a multi-faceted approach.”
Still, having a well-crafted cyber insurance policy should be an essential part of keeping a firm’s information safe. To do anything less can put clients’ information — and business — at risk.
“Just think what it would do to a firm’s reputation if they had to close its doors for data restoration alone,” said Pasquariello. If a client was forced to make the choice, he adds, “I would rather see a company forego Fire insurance, and have them spend the money on a cyber-data and network policy.”