Cybersecurity insurance is a ‘must have’ for law firms
Katherine Toomey. Photograph by David Hills
Nearly a quarter of law firms with 500 or more attorneys have experienced a cybersecurity breach, according to those who responded to the ABA’s 2015 Legal Technology Survey Report.
So there’s no question that securing online information is on the mind of many law firm leaders. So is the need for cybersecurity insurance.
“It’s something you must have,” says Robert Owen, a New York City-based partner with Sutherland Asbill & Brennan. A firm victimized by a cyberattack may need to hire experts to investigate the breach, reassure clients, stanch any reputational damage and address possible regulatory inquiries. “There’s a whole host of risks,” Owen says.
An endorsement to a firm’s property and casualty policy typically provides just a “sliver of coverage,” says Eileen Garczynski, senior vice president with specialty broker Ames & Gough in McLean, Virginia. For instance, an endorsement might cover the cost to restore data, but not any fines stemming from the breach.
PRIMARY FIRST
An effective cybersecurity policy must have several provisions. First of all, it should be a primary policy. “A primary policy responds first,” Garczynski says. It wouldn’t require the firm to turn to its professional liability coverage first.
The Lewis Baach law firm also looked for policies that would cover pre-existing problems, says Katherine Toomey, a Washington, D.C.-based partner there. That could include a virus in the firm’s system at the time the policy was obtained that hadn’t been detected.
Law firms also will want to assess the additional services the insurer offers, Owen says. For example, some insurers retain forensics experts for use in cyber investigations. The firm should know if it will be required to use the insurer’s expert. If so, it will want to evaluate the experts’ qualifications.
Some coverage is limited to personally identifiable information, such as Social Security numbers. “You want it to cover a breach of anything protected under attorney-client privilege,” Garczynski says.
Conduit coverage also is critical, says Jim Rhyner, senior vice president and specialty law firm segment manager with Chubb. This protects the firm if another entity suffers damages because of a breach in the firm’s system.
Applying for cybersecurity insurance often requires documenting the cybersecurity practices in place at the firm. The insurer may ask whether the firm encrypts data, if it has implemented an information security plan that addresses the network as well as portable devices, and if employees receive security training.
“We’re focused on a culture of risk mitigation versus just risk transfer,” says Erica Davis, vice president with insurer Zurich North America.
While it’s in the insurer’s interest for its policyholders to have implemented such policies, law firms also benefit. “The questions they ask,” Owen says, “are a great educational process.”
INFORMATION SHARED
The Legal Services Information Sharing and Analysis Organization, launched in 2015, provides an industry forum on security threats facing the global financial services sector. Law firms can share information that will help members prevent and respond to cyber and other risks. This includes information on threat alerts, vulnerabilities and best practices.
Cybersecurity insurance costs vary with the size and type of firm. Garczynski provides a few rough estimates: small to midsize firms might pay between $500 and $7,500 for $1 million in coverage, while larger firms could pay from $40,000 to $60,000 for policies providing $2 million to $3 million in coverage.
Rhyner notes that the relatively small levels of equity on which many law firms operate could be quickly consumed in a cybersecurity breach. The coverage offers “true balance sheet protection,” he says.
This article originally appeared in the November 2016 issue of the ABA Journal with this headline: “Cyber Coverage: Separate policy, certain provisions needed for data protection.”
