Experts warn law firms to protect themselves against cyberattacks
With the Target and Nieman Marcus data breaches continuing to make headlines, experts participating in an American Bar Association webinar last month stressed the importance for businesses such as law firms to adequately prepare for cyberattacks and emphasized the value of cyber liability insurance.
“When we’re speaking about cyber liability insurance, the first thing we really want to highlight is there’s not a lot of history yet when it comes to these types of events,” said Karl Pedersen, a senior vice president at Willis, a global insurance broker.
Maintain cyber liability insurance.
Conduct proper background screenings for new hires and vendors.
Pre-arrange a breach service provider, outside counsel and reputational risk
Provide “certification” through e-learning to employees on safeguarding data.
Develop an incident response plan.
Conduct annual risk assessment and tabletop exercises.
Hold internal “privacy summit” to identify vulnerabilities.
Keep general counsel’s office current to state and federal disclosure laws.
Implement data encryption.
Use contemporary mobile device management software if employing a “bring your own device” policy.
While cyber liability insurance first appeared in 1998, the industry didn’t see an uptick in clients buying these policies until after California enacted the first data breach notice law in 2003. The law requires entities that maintain personal data about state residents to provide notice when certain information is accessed without authorization. Now, 46 states have such laws in place.
David J. Chatfield, vice president of cybersecurity services at NetDiligence, a cyber risk assessment services company, said the prominence of these laws and some of the high-profile retail data breaches have been “a significant driver of activity” and have “enhanced the market for cyber policies.”
Pedersen said the market is maturing, with more than 60 insurers now writing cyber coverage.
However, Chatfield pointed out the lack of law firm participation in the market. He said that fewer than five of NetDiligence’s cyber risk assessment clients each year are law firms. “From our assessment population, such as it is, penetration by law firms is extremely low and among the lowest of the major sectors that we deal with,” he said.
Cyber liability coverage is necessary because data is not considered tangible property and is therefore excluded from coverage under general insurance policies, said Jennifer A. Coughlin, claims counsel for bond and financial products at Travelers Insurance in Philadelphia.
Cyber liability policies fill the gap, Pedersen said, explaining that basic cyber policies usually cover privacy expenses (notification, forensics, credit monitoring), security liability and electronic media liability. Other coverage options range from cyber extortion to data restoration to system failure.
He recommended that businesses make sure their cyber liability policy includes prior acts coverage because a company’s network may have already been infiltrated without its knowledge before the policy was purchased. Pedersen said multiple current cyber events, including the Nieman Marcus breach, involved threats that had been in the networks for a long period of time.
He also warned against several coverage limitations to avoid when buying a cyber liability policy.
“Absolutely never ever except an unencrypted laptop or mobile device exclusion,” Pedersen said. More than one-third of cyber breaches occur because of these reasons, he noted.
Pedersen also cautioned against a wild virus exclusion, which means the insurance would only cover an attack targeted against the entity itself. However, more than 90 percent of the viruses out there are wild in nature and not directed against one particular entity, he explained.
In addition, he said businesses should watch out for inadequate sublimits on forensics, saying that businesses need a minimum of $500,000 of forensics coverage.
Chatfield said cyber breaches are growing in both frequency and cost. According to NetDiligence’s 2012 report “Cyber Liability and Data Breach Insurance Claims,” which analyzed 137 events reported from 2009 to 2011, the average cost of a breach was $3.7 million. While the actual claim range was huge, from $2,000 to $76 million, the average claim ranged from $25,000 to $200,000.
He said legal expenses made up the largest portion of the costs incurred, with defense costs averaging $582,000 and settlement costs averaging $2.1 million.
“The best thing to do when a breach happens is to get privacy and data security attorneys in right away so they can kind of spearhead exactly what needs to happen,” Coughlin said. “If the lawyers are involved in the beginning, then when a regulator opens up an inquiry or the entity is served with a lawsuit or named in something, then they are already up to speed.”
She said many cyber policies have “breach coaches,” a lawyer designated by the insurer. “You talk about what happened and the breach coach can kind of get a sense of what’s required, if anything, by the data incident,” she explained. “But you can have this coverage enhancement put on your policy where you can retain the counsel of your own choice.”
Chatfield laid out steps that companies can take to mitigate risk of a cyber breach, including conducting risk assessments to gauge the effectiveness of their policies, completing internal and independent testing of their networks, implementing necessary changes and continuously improving their system.
Coughlin described a number of best practices that business should put in place, including maintaining cyber liability insurance. Other best practices are conducting proper background checks on employees and vendors, training employees on safeguarding data, developing an incident response plan and conducting annual risk assessments.
“Regulators will want to know what best practices you had in place at the time of the incident,” Coughlin said. “Regulators are very happy when they see that you did have some best practices in place because they do understand accidents happen. They will probably investigate you much longer if you don’t have some of these best practices in place.”
Pedersen said that more companies are increasingly putting these best practices into place and that some insurers will not write a cyber liability policy for a business unless it can show some data protection is in place.
“Certainly underwriters are indeed looking for what I would call substantial compliance with these various practices,” Chatfield said, “but each carrier has different risk appetites for the types of clients and levels of compliance that they are willing to undertake, and pricing will likely be set out accordingly.”
Pedersen said incidence response planning is “absolutely critical” for businesses to complete before a cyberattack occurs. “Cyber policies are one of the unique policy forms out there that you actually have to do your homework prior to the claim occurring itself,” he said.
A CD-ROM of this webinar, “Evaluating Cyber Liability Insurance Policies: What You Should Know to Make a Purchasing Decision,” can be purchased in the ABA Web Store.
The article “Protect your firm: Invest in cyber liability insurance” provides advice from Wesley Sunu, a director at Chicago law firm Tribler Orpett & Meyer, where he concentrates in reinsurance, insurance coverage and professional liability litigation.“Network Risk Insurance 2012: Privacy & Security Exposures and Solutions for Law Firms” in Law Practice Today, the monthly webzine of the ABA Law Practice Division, gives an in-depth look at cyber liability insurance, also known as network risk insurance. For more information, check out the ABA Cybersecurity Legal Task Force’s list of resources for those in the legal profession.
Back to top