Tuesday, March 29, 2016

With the news that Russian hackers have been targeting U.S. and U.K. law firms as part of an insider trading scheme, it’s a good time to recirculate our tips for law firms looking to purchase cyber insurance.

As the Crain’s Chicago Business story noted, law firms “have largely trailed their clients in confronting the possibility of hackers accessing their networks for illegal profit,” even though they hold “vast repositories of confidential information.”

If your firm does not already have a cyber policy, it’s wise to consider purchasing one. Traditional law firm policies often exclude cyber risks, so you most likely won’t be able to rely on your existing policies to protect you in the event of a data breach or other cyber event.

Amy Stewart Law works with businesses, including law firms, at every step of the insurance process (from purchase and renewal, to filing insurance coverage claims and dispute resolution). Here are some tips if your firm is embarking on the cyber insurance-purchasing process:

1. Take time to assess potential risk scenarios: Spotting key risks will help the firm identify the coverage components most relevant to its practice.

a.  Analyze the firm’s dependence on computer systems and online applications to conduct business. Does the firm need network interruption coverage to protect against lost income resulting from a breach that takes those systems down? 

b.  Consider network security issues. If an unauthorized person gains access to a laptop or to the firm’s servers, what risks are presented? Could the confidentiality of client data be compromised? What about personal information about employees or clients?

c.  Does the firm accept payment by credit card? Would the firm face liability associated with the unauthorized access or misuse of that information?

2. Identify the coverages the firm should purchase: Cyber insurance policies are not standardized and vary widely from insurer to insurer; even from policy to policy. Many cyber insurers offer some combination of the following coverages (among others):

a. Network interruption coverage protects against losses resulting from the firm’s inability to produce income due to a cyber-security event, typically after a waiting period.

b. Security liability and privacy liability coverages protect the firm against claims brought by third parties arising from a cyber-security or privacy event.

c. Event management insurance covers expenses the firm may incur in connection with a data breach or other cyber event, such as notification expenses, credit monitoring, etc.

d. Cyber extortion coverage protects the firm from extortion demands with cyber consequences.

 
3. Beware of exclusions: Read the fine print. For example, some insurers are using broad exclusions to shift substantial risk back to the insured for a breach that results from the insured’s failure to implement and maintain cyber security protocols, particularly those protocols that are listed in the insurance application. In 2015, CNA filed suit against an insured to avoid coverage based on a “failure to follow minimum required practices” exclusion, which eliminated coverage for “any failure” of the insured to “continuously implement” such policies and procedures identified in its application. Such an exclusion should be avoided, since its application could significantly impair coverage for an event caused by human error.
 
4. Ask the broker for benchmarking information: Premiums and limits of liability vary based on firm size, revenue and practice areas.  To improve the decision-making process, the firm’s broker should be able to provide information regarding the types of coverage and limits of liability similarly-situated law firms are buying. 

5. Assess coverage for regulatory matters: If the firm represents high-profile or large corporate clients, realize that a security breach involving the firm could attract regulatory attention. State and federal agencies are becoming increasingly involved in the investigation of data breaches and other cyber security events. Coverage for regulatory investigations is available, along with coverage for regulatory fines and penalties. 

6. Look for BYOD coverage: If employees are able to access firm systems, e-mail or client data on personal devices (not owned or controlled by the firm), consider whether the firm’s cyber policy extends to a data breach or cyber event involving employee-owned phones, tablets and laptops. The risk scenarios are endless—an employee’s 6-year old downloading a game containing malware onto a tablet that accesses firm systems and applications, a laptop with client files and e-mail left in an airport lounge, or a smartphone stolen from an employee’s purse at the grocery store. While many policies specifically extend coverage to mobile devices, make sure the coverage language in the firm’s policy is abundantly clear.

Click here to receive our firm’s e-newsletter, which includes updates on insurance law and other news important to business policyholders.