Sign In
    Wisconsin Lawyer
    October 12, 2018

    Cyber Insurance: Necessary, Expensive, and Confusing as Hell

    If your law practice relies on computer technology, you need cyber insurance. Here are some tips for shopping for the right kind. 

    Sharon D. Nelson & John W. Simek

    glasses with computer reflection

    The title of this article was also the title of a session presented at ABA TECHSHOW 2018. And each part of the title is true. It is absolutely necessary to have cyber insurance to manage your risk. No amount of technology, policies, or training can guarantee that you will not be breached.

    Expensive? Oh yes. Get ready for sticker shock when you purchase cyber insurance. Because we make continuing legal education presentations on cyber insurance, we can tell you with some assurance that lawyers are very confused about the specific insurance they need. Insurance companies are not very helpful – the various policies offered across the industry are not at all standardized – and of course they are written in complicated language that often obfuscates their meaning.

    The State of Cyber Insurance Coverage

    According to a 2017 survey by the data analytics firm FICO, one-half of U.S. businesses have no cyber insurance, 27 percent have no plans to buy coverage, and only 16 percent report having a policy that covers all cyber risks. There is a certain justified cynicism about cyber insurance. The news is rife with companies that had cyber insurance, but found – after being breached – that a substantial portion of their damages were not covered.

    Sharon D. NelsonJohn W. SimekAttorney Sharon D. Nelson is president and John W. Simek is vice president of Sensei Enterprises Inc., a legal technology, information security, and digital forensics firm based in Fairfax, Va. (703) 359-0700.

    A 2017 report by Deloitte, “Demystifying Cyber Insurance Coverage,” called the market “promising” but “problematic” for the insurance companies as well as customers. We don’t have a lot of historical data to help us construct reliable predictive models. With threats evolving daily and many different kinds of damage possibly occurring, perhaps over a broad swath of insurance company customers, insurers are flying blind – something you can see for yourself when you look at widely varying prices for widely varying coverage.

    As a result, many insurers are focused on personally identifiable information (PII) coverage, which might or might not be an organization’s primary need. Chubb Group, a well-known and early entrant into the cybersecurity market, paid some of the losses for P.F. Chang’s point-of-sale data breach but it did not cover the required $1.9 million Payment Card Industry Data Security Standard assessment. If you don’t even know what that means (and many lawyers do not), take a deep breath and do a search on PCI-DSS fines.

    Even after all this time, many law firms and other entities mistakenly believe that their general liability or business interruption policies fully cover data breaches. Some of them have learned the hard way how very wrong they were.

    Given the fact that law firms are generally not models of strong cybersecurity practices, it would be prudent for them to up their game, especially because clients and potential insurers are asking hard questions about firms’ security. In 2017, legal technology firm LogicForce gave the legal industry only a 42 percent rating on its cybersecurity health. The score was based on 12 factors, weighted differently: information on information security executives, policies, multifactor authentication, cyber training (we have seen a big uptick there), cyber insurance, penetration testing, vulnerability testing, third-party risk assessments, information governance, cyber investment, full disk encryption, and data loss prevention technology and software.

    Comparisons Are Not Apples to Apples

    The best you can probably do is to consult a trusted insurance advisor who is accustomed to dealing with cybersecurity policies. Once you get over the aforementioned sticker shock for the costs of the policy and absorb the grim reality of the high deductibles, you must get into the nitty gritty of a subject that is very hard to understand if you are not in the insurance business and do not have a keen understanding of cybersecurity.

    Often when lawyers ask us where to get impartial advice, we are apt to recommend they ask their colleagues for references. But we are less likely to do so when the issue is cyber insurance because, unless your colleagues have suffered damages from a cyber attack or breach, they really don’t know how good their policies are.

    More than 50 percent of the cost of a data breach may come from digital forensics and the data breach lawyer you hire, which are not covered by the lawyers’ professional liability (LPL) policy.

    Most lawyers have professional liability insurance, which will undoubtedly provide some cyber insurance coverage given that lawyers are holding data because they are rendering legal services. However, more than 50 percent of the cost of a data breach may come from digital forensics and the data breach lawyer you hire, which are not covered by the lawyers’ professional liability (LPL) policy. Other costs that likely are not covered include public relations coverage, data breach law compliance and notification costs, and regulatory investigations costs, including fines and penalties.

    What Insurers Need to Know Before Giving a Quote

    Clearly, the information sought will vary from insurer to insurer, but here is a list of questions insurers likely will ask.

    1. Have you had a cybersecurity audit performed by an independent third party? Insurers will want the results and an accounting of any remediation that was performed.

    2. Do you have email encryption available for use? Is it used?

    3. Do you use full disk encryption?

    4. Do you train your employees in cybersecurity, and if so, how often do you train them?

    5. Have you ever experienced a data breach or other major cybersecurity incident? Insurers will want details, including how long it took to discover any breaches.

    6. Do you comply with any national and international cybersecurity standards?

    7. Have you ever made an insurance claim involving cybersecurity? If yes, you will need to provide details.

    8. Has any other insurer cancelled your cybersecurity policy or refused to renew one?

    9. When employees are processed out of your firm, what measures do you take to secure your data?

    10. Do you do background checks on new employees? Are they trained in security policies?

    11. Are you following general best practices regarding passwords and access control and patching and upgrading outdated software that is not receiving security patches?

    12. Is logging enabled? What is the retention period of log files?

    Types of Information for Which Insurers Probably Will Request Lists or Descriptions

    In addition to being prepared to answer the preceding questions, you should also have the following categories of information available for insurers when you are seeking a quote:

    • Your security-related policies.

    • How your backup is engineered – to make sure, if you contract ransomware, that you have a reliable backup from which you can restore your data.

    • Enterprise-level security software and hardware, including firewalls, data loss prevention, incident detection software, and so on.

    • The physical security of your premises.

    • Mobile device security, including whether you can remotely wipe lost or stolen devices.

    • Details of vendor management for those who have any degree of network access or who hold your data by design and whether audits of those vendors are required.

    • Awareness, when the application is filled out, of facts that might give rise to a possible claim.

    • The kind of data you hold (health data, credit card data, banking records – any sort of protected data).

    • The amount of your annual cybersecurity budget, particularly if yours is a large firm.

    • Financial data about your firm, including assets, revenues, number of employees, and any proposed merger or acquisitions.

    The list of possible insurer questions can seem daunting, especially if you become aware that your truthful answers (and failure to be truthful may invalidate coverage) might have negative ramifications for your insurance application. Insurers are not required to explain negative ramifications but might do so if asked.

    What to Ask a Prospective Insurance Company

    This can be a hard question, but we have found it useful to set forth specific scenarios involving specific types of harm and ask the insurance agent to indicate which language covers which harm. For instance, virtually all insurance policies cover actual loss or damage to your computers, but not the loss of the data.

    Can you sometimes negotiate the coverage itself? Absolutely. Of course, that may come with a price tag. Taken together, the premium, the deductible, and the coverage should give you a somewhat clear idea of how well you are managing the risks you cannot wholly protect against – and the price for doing so. And if you don’t like one proposal, you will have alternatives because there are now more than 60 carriers offering cyber insurance.

    We have found it useful to set forth specific scenarios involving specific types of harm and ask the insurance agent to indicate which language covers which harm.

    If your data is in the cloud or otherwise held by third parties, you will need third-party coverage. If your firm is active with social media coverage, you might need media liability coverage. And when regulatory fines loom, and they often do these days, you should have coverage for regulatory fines.

    Ask your insurer as many questions as you can think of, but here are a few starters.

    1. Is the coverage retroactive? How far back, if so?

    2. Does the insurer believe your limits of coverage are adequate for your needs, especially given the nature of the data you hold and the size of your firm?

    3. Does the policy cover both the loss and the compromise of data? (For example, make sure data encrypted by ransomware is covered.)

    4. Is there a discount if you have a third-party independent audit and remediate any crucial vulnerabilities found by the audit?

    5. Are you covered if a vendor holding your data suffers a breach?

    6. For an additional premium, does the insurer offer a subrogation waiver? We know some of you are asking “What’s this?” Google it to find a full explanation and the reasons such a waiver may be desirable.

    Final Thoughts

    According to Fitch Ratings, in 2016 the cyber insurance industry grew by 35 percent. Allied Market Research predicted that the global market may reach $14 billion by 2022. But if you want a queasy stomach as you fork over huge premiums, consider this quote from Tim Francis, a vice president and enterprises lead for cyber insurance at Travelers: “There’s so much new coverage out there that hasn’t been tested.… One day there will be certain claims and we’ll figure if the words we used to convey coverage actually say what we thought they meant, which is often up to a lot of lawyers.”

    Not very reassuring, is it? The world of cyber insurance is evolving – think how little we have by way of precedents. Combine that with the rapid changes in attack surfaces, cyber weapons, and tactics, and so on, and it is a bit unsettling. As we have now reached the point where many firms have been breached – and will be breached again – the one thing we can tell you for sure is that cyber insurance is essential risk management for law firms.

    5 Cyber Protection Tips to Act on Now

    By Tom Widman

    The frequency of hacks and cyber scams continues to soar. Our claim activity reveals that crypto-locker type ransomware and credential theft are our top two sources of claims. However, simple human errors, burglaries, and lost laptops are also resulting in claims.

    Demystifying Cyber Insurance

    To help demystify cyber insurance, here are a few quick things to consider:

    • Cyber insurance is confusing as hell. This is true for most folks. Many insurers are providing cyber insurance, with many variations in language, coverage, and pricing. Save time and speak to a skilled cyber insurance broker. You will easily find a cost-effective and appropriate policy.

    • Cyber insurance is very expensive. Not so much. Our entry level pricing is about $300 per year for a policy that has a $250,000 limit and a $1,000 retention. With many new entrants to the cyber insurance field, there is an increasing supply. Competition for new business has benefitted most clients who are able to obtain better terms, conditions, and lower prices.

    • Cyber insurance has become necessary. True. To survive in a chaotic cyber risk environment, consider cyber insurance as an essential final layer of security. When all other security and prevention measures fail, cyber insurance can help save the day.

    5 Cyber Protection Tips

    Here are a few important protection tips, based on our recent claim activity, that you should verify or undertake right now.

    • Educate all staff on phishing and spear phishing emails, the number one attack vector right now.

    • Ensure proper backup of all relevant data. This includes having multiple sources of backup in case one fails and testing that your backup actually works!

    • Patch vulnerabilities and ensure automatic updates are turned on (and ensure that your anti-malware and firewalls are working).

    • Ensure that passwords are strong and complex, any remote desktop access is secure, and two-factor authentication is being used wherever it is made available (for example, online banking).

    • If you use Microsoft 365, log in as Admin to activate two-factor authentication and separately, logging. At the same time, carefully review if any unauthorized rules have been created or any emails have been deleted or forwarded. (Thieves are gaining access, monitoring activity, cherry picking key emails, and masquerading as you to pillage, steal, and spread malware.)

    Our cyber risk motto is “prevent-protect-respond.” The only sensible course of action given limited resources is to 1) prevent a loss from happening as best you can; 2) insure your business, knowing no one can guarantee that a loss will not occur; and 3) respond to an incident with diligence and according to your written plan. Obtaining BIZLock will help you take a major step in the right direction. 

    Learn More About a New Cyber Solution

    Join me at the State Bar of Wisconsin Solo and Small Firm Conference on Thursday, Oct. 25. We’ll discuss why cyber prevention remains paramount and how cyber insurance can come to the rescue when all else fails. You’ll learn about the main coverages for liability, regulatory fines, extortion, business interruption, breach response, and more, along with other key coverage terms, conditions, and exclusions, and why cyber insurance is now becoming so affordable, commonplace, and the smart choice to protect your practice.

    You’ll also learn about a new benefit available to State Bar members. The State Bar recently chose M3 Insurance as its partner in offering coverage that can be specifically tailored to meet your cybersecurity needs. The BIZlock program provided by Identity Fraud is now available to all members. Visit the member benefits/insurance offerings area on to review our BIZLock offering for State Bar members.

    Whatever you do, act now.

    Tom Widman is president and CEO of Identity Fraud Inc. Their BIZLock® small business cyber insurance program insured by AIG has been selected by the State Bar of Wisconsin as the preferred cyber solution for members through the business relationship with M3 Insurance.

Join the conversation! Log in to comment.

News & Pubs Search

Format: MM/DD/YYYY