The title of this article was also the title of a session presented at ABA TECHSHOW 2018. And each part of the title is true. It is absolutely necessary to have cyber insurance to manage your risk. No amount of technology, policies, or training can guarantee that you will not be breached.

Expensive? Oh yes. Get ready for sticker shock when you purchase cyber insurance. Because we make continuing legal education presentations on cyber insurance, we can tell you with some assurance that lawyers are very confused about the specific insurance they need. Insurance companies are not very helpful – the various policies offered across the industry are not at all standardized – and of course they are written in complicated language that often obfuscates their meaning.

The State of Cyber Insurance Coverage

According to a 2017 survey by the data analytics firm FICO, one-half of U.S. businesses have no cyber insurance, 27 percent have no plans to buy coverage, and only 16 percent report having a policy that covers all cyber risks. There is a certain justified cynicism about cyber insurance. The news is rife with companies that had cyber insurance, but found – after being breached – that a substantial portion of their damages were not covered.

A 2017 report by Deloitte, “Demystifying Cyber Insurance Coverage,” called the market “promising” but “problematic” for the insurance companies as well as customers. We don’t have a lot of historical data to help us construct reliable predictive models. With threats evolving daily and many different kinds of damage possibly occurring, perhaps over a broad swath of insurance company customers, insurers are flying blind – something you can see for yourself when you look at widely varying prices for widely varying coverage.

As a result, many insurers are focused on personally identifiable information (PII) coverage, which might or might not be an organization’s primary need. Chubb Group, a well-known and early entrant into the cybersecurity market, paid some of the losses for P.F. Chang’s point-of-sale data breach but it did not cover the required $1.9 million Payment Card Industry Data Security Standard assessment. If you don’t even know what that means (and many lawyers do not), take a deep breath and do a search on PCI-DSS fines.

Even after all this time, many law firms and other entities mistakenly believe that their general liability or business interruption policies fully cover data breaches. Some of them have learned the hard way how very wrong they were.

Given the fact that law firms are generally not models of strong cybersecurity practices, it would be prudent for them to up their game, especially because clients and potential insurers are asking hard questions about firms’ security. In 2017, legal technology firm LogicForce gave the legal industry only a 42 percent rating on its cybersecurity health. The score was based on 12 factors, weighted differently: information on information security executives, policies, multifactor authentication, cyber training (we have seen a big uptick there), cyber insurance, penetration testing, vulnerability testing, third-party risk assessments, information governance, cyber investment, full disk encryption, and data loss prevention technology and software.

Comparisons Are Not Apples to Apples

The best you can probably do is to consult a trusted insurance advisor who is accustomed to dealing with cybersecurity policies. Once you get over the aforementioned sticker shock for the costs of the policy and absorb the grim reality of the high deductibles, you must get into the nitty gritty of a subject that is very hard to understand if you are not in the insurance business and do not have a keen understanding of cybersecurity.

Often when lawyers ask us where to get impartial advice, we are apt to recommend they ask their colleagues for references. But we are less likely to do so when the issue is cyber insurance because, unless your colleagues have suffered damages from a cyber attack or breach, they really don’t know how good their policies are.

More than 50 percent of the cost of a data breach may come from digital forensics and the data breach lawyer you hire, which are not covered by the lawyers’ professional liability (LPL) policy.

Most lawyers have professional liability insurance, which will undoubtedly provide some cyber insurance coverage given that lawyers are holding data because they are rendering legal services. However, more than 50 percent of the cost of a data breach may come from digital forensics and the data breach lawyer you hire, which are not covered by the lawyers’ professional liability (LPL) policy. Other costs that likely are not covered include public relations coverage, data breach law compliance and notification costs, and regulatory investigations costs, including fines and penalties.

What Insurers Need to Know Before Giving a Quote

Clearly, the information sought will vary from insurer to insurer, but here is a list of questions insurers likely will ask.

1. Have you had a cybersecurity audit performed by an independent third party? Insurers will want the results and an accounting of any remediation that was performed.

2. Do you have email encryption available for use? Is it used?

3. Do you use full disk encryption?

4. Do you train your employees in cybersecurity, and if so, how often do you train them?

5. Have you ever experienced a data breach or other major cybersecurity incident? Insurers will want details, including how long it took to discover any breaches.

6. Do you comply with any national and international cybersecurity standards?

7. Have you ever made an insurance claim involving cybersecurity? If yes, you will need to provide details.

8. Has any other insurer cancelled your cybersecurity policy or refused to renew one?

9. When employees are processed out of your firm, what measures do you take to secure your data?

10. Do you do background checks on new employees? Are they trained in security policies?

11. Are you following general best practices regarding passwords and access control and patching and upgrading outdated software that is not receiving security patches?

12. Is logging enabled? What is the retention period of log files?

Types of Information for Which Insurers Probably Will Request Lists or Descriptions

In addition to being prepared to answer the preceding questions, you should also have the following categories of information available for insurers when you are seeking a quote:

• Your security-related policies.

• How your backup is engineered – to make sure, if you contract ransomware, that you have a reliable backup from which you can restore your data.

• Enterprise-level security software and hardware, including firewalls, data loss prevention, incident detection software, and so on.

• The physical security of your premises.

• Mobile device security, including whether you can remotely wipe lost or stolen devices.

• Details of vendor management for those who have any degree of network access or who hold your data by design and whether audits of those vendors are required.

• Awareness, when the application is filled out, of facts that might give rise to a possible claim.

• The kind of data you hold (health data, credit card data, banking records – any sort of protected data).

• The amount of your annual cybersecurity budget, particularly if yours is a large firm.

• Financial data about your firm, including assets, revenues, number of employees, and any proposed merger or acquisitions.

The list of possible insurer questions can seem daunting, especially if you become aware that your truthful answers (and failure to be truthful may invalidate coverage) might have negative ramifications for your insurance application. Insurers are not required to explain negative ramifications but might do so if asked.

What to Ask a Prospective Insurance Company

This can be a hard question, but we have found it useful to set forth specific scenarios involving specific types of harm and ask the insurance agent to indicate which language covers which harm. For instance, virtually all insurance policies cover actual loss or damage to your computers, but not the loss of the data.

Can you sometimes negotiate the coverage itself? Absolutely. Of course, that may come with a price tag. Taken together, the premium, the deductible, and the coverage should give you a somewhat clear idea of how well you are managing the risks you cannot wholly protect against – and the price for doing so. And if you don’t like one proposal, you will have alternatives because there are now more than 60 carriers offering cyber insurance.

We have found it useful to set forth specific scenarios involving specific types of harm and ask the insurance agent to indicate which language covers which harm.

If your data is in the cloud or otherwise held by third parties, you will need third-party coverage. If your firm is active with social media coverage, you might need media liability coverage. And when regulatory fines loom, and they often do these days, you should have coverage for regulatory fines.

Ask your insurer as many questions as you can think of, but here are a few starters.

1. Is the coverage retroactive? How far back, if so?

2. Does the insurer believe your limits of coverage are adequate for your needs, especially given the nature of the data you hold and the size of your firm?

3. Does the policy cover both the loss and the compromise of data? (For example, make sure data encrypted by ransomware is covered.)

4. Is there a discount if you have a third-party independent audit and remediate any crucial vulnerabilities found by the audit?

5. Are you covered if a vendor holding your data suffers a breach?

6. For an additional premium, does the insurer offer a subrogation waiver? We know some of you are asking “What’s this?” Google it to find a full explanation and the reasons such a waiver may be desirable.

Final Thoughts

According to Fitch Ratings, in 2016 the cyber insurance industry grew by 35 percent. Allied Market Research predicted that the global market may reach $14 billion by 2022. But if you want a queasy stomach as you fork over huge premiums, consider this quote from Tim Francis, a vice president and enterprises lead for cyber insurance at Travelers: “There’s so much new coverage out there that hasn’t been tested.… One day there will be certain claims and we’ll figure if the words we used to convey coverage actually say what we thought they meant, which is often up to a lot of lawyers.”

Not very reassuring, is it? The world of cyber insurance is evolving – think how little we have by way of precedents. Combine that with the rapid changes in attack surfaces, cyber weapons, and tactics, and so on, and it is a bit unsettling. As we have now reached the point where many firms have been breached – and will be breached again – the one thing we can tell you for sure is that cyber insurance is essential risk management for law firms.