With cyber threats on the rise, all businesses, law firms included, need to adapt in order to prevent these perpetual risks. According to the 2019 Verizon Data Breach Investigations Report (DBIR), 43 percent of data breaches in 2018 targeted small businesses. Additionally, the DBIR noted the professional services industry, which includes law firms, saw an increase of cyber threats through phishing scams and attacks on credential theft. The DBIR reported that financial gain was the primary motive for attacks on professional services industries, demonstrating that malicious actors remain homed in on monetizing stolen data. As threats to gain access and compromise sensitive information entrusted to lawyers continue, it is critical for lawyers to protect their email and credentials and also consider how cyber insurance can play a role in supporting a comprehensive cybersecurity strategy.
Although law firms of every size could be data breach targets, small law firms are likely to maintain diverse clients that require lawyers to counsel and provide legal services within different practice areas. As a result of a diverse practice, small law firms are collecting and handling different types of client information and data. Also, the practice area in itself—such as health care—may mandate that law firms adhere to certain regulatory requirements when handling client information. Diverse practice areas, combined with cyber insurance products that vary by insurer, require small law firms to understand the information landscape within their firm before procuring cyber insurance. Because of this, lawyers, regardless of firm size, should review their cyber insurance needs, as legal malpractice and other insurance policies might not protect lawyers for breaches and cyberattacks.
Cyber insurance policies are not uniform, so policy language and coverage offerings vary by insurer. The following provides general descriptions of cyber coverages available in the marketplace that law firms should consider. To comprehend the coverage, any cyber policy must be read in its totality to understand the symbiotic relationship among the policy’s provisions and sections, as well as any policy change made by rider or endorsement.
Coverage for First-Party Costs
Breach Response Costs: These first-party costs are the cornerstone to cyber coverage, as they provide the policyholder access to legal services (breach coach), forensics, notification costs, credit monitoring, and public relations.
Data Restoration: Costs to replace computer systems due to corruption or destruction caused by a data breach.
Network/Business Interruption: Reimbursement for loss of business income due to a security event.
Cyber Extortion Costs: Costs, or ransom, paid to prevent a third party from releasing or disclosing protected information.
Coverage for Liability to a Third Party
Privacy Liability: Liability arising out of the unauthorized disclosure of protected information.
Network Security Liability: Liability arising out of the unauthorized access or unauthorized access to computer systems.
Regulatory Liability: Liability incurred from responding to an investigation or formal proceeding brought by an administrative or regulatory agency alleging a violation of a privacy regulation.
Multimedia Liability: Liability associated libel, slander, trade libel, or disparagement resulting from published material.
In consideration of the coverages listed above, cyber insurance products are evolving and coverages continue to expand. Recently, some standalone cyber policies started offering coverage that addresses cyber risks arising from social engineering fraud, reputational diminishment, and third-party service providers. Insurers vary in how they define certain coverages under cyber policies, so the firm should make sure it understands what coverage is being provided by a particular insurance policy.
To procure a cyber insurance policy, lawyers need to complete an application so insurers can underwrite their cyber risk profile. The application will include questions about the firm’s business activities, such as practice areas, risk management procedures for clients, and revenues. Also, at a minimum, the application will ask data-specific questions about the amount and type of information handled, security procedures for computers and systems, vendors, and written data privacy policies maintained by the law firm. Any internal or external assessment performed on the firm’s network or systems by a third-party may help supplement an application, but assessments are generally not required to apply for cyber insurance.
Given the costs associated with purchasing a standalone cyber policy, an alternative to the standalone policy is to endorse cyber coverage to the Lawyers Professional Liability (LPL) insurance policy. Most LPL policies can provide a cyber coverage endorsement or rider, and usually an additional premium is required. Generally, there is some costs savings when cyber coverage is consolidated under the LPL coverage. However, the cyber coverage endorsed to the LPL is typically limited coverage because it provides a sublimit for certain first-party cyber risks. Whether a firm purchases cyber insurance through a standalone or LPL policy, it’s critical that the purchased coverage is uniquely tailored to the organization’s level of cyber risk.
A cyber insurance policy on its own is not an adequate cybersecurity strategy for law firms. However, a law firm’s failure to secure proper coverage—a policy providing the coverage and limits that address the firm’s specific cyber risks—can be a serious oversight that results in financial and reputational consequences.