Are you covered? Cyber insurance market is highly unstable and lacks uniformity
With a single click, a law firm can be brought to its knees.
On May 22, 2015, an employee at Moses Afonso Ryan, a small business-law firm in Providence, Rhode Island, opened an attachment in an email from an unknown source.
Within a short time, every document and device on the firm’s network was disabled. Access was hidden behind a wall of encryption that even hired experts could not crack.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
Thinking it had no other options, the firm capitulated to the perpetrators of the ransomware attack, went through two rounds of negotiations, and paid two ransoms for a total of $25,000 in bitcoins to free its system.
Although not every document was fully recovered, the law firm was functioning again. But the cost was steep. Not only did it lose the ransom money; the attack also forced the firm offline for three months. Additionally, being unable to operate during that time cost the firm more than $700,000 in potential income, according to court documents.
The firm thought it was completely insured, thanks to a property coverage policy from Sentinel Insurance Co. that covered loss of income under certain circumstances, including computer fraud. However, the firm got a rude awakening when Sentinel paid only $20,000 of the claim for damage to the computer system. Sentinel argued that the loss of income is not insured under the property coverage because there was no “direct physical loss of or physical damage to property at the ‘scheduled premises.’ ”
As a result, the firm sued.
The case languished in the U.S. District Court for the District of Rhode Island for three years before both sides came to a settlement in late April. A representative from Moses Ryan, the firm’s current name, confirmed that a deal had been reached but declined to elaborate, citing a confidentiality agreement. The Hartford Financial Services Group, Sentinel’s parent company, did not respond to requests for comment.
As cyberthreats evolve and proliferate, more insurers are expanding options to help law firms mitigate loss. However, without industry standards, coverage and cost vary from plan to plan, sometimes causing gaps in potential coverage, such as what Moses Ryan experienced.
Despite the state of flux, experts say there are concrete steps for attorneys to take in trying to navigate a fluid and confusing market.
Kevin Kalinich, the cyber-risk global practice leader at insurance broker Aon and co-author of an article in the second edition of The ABA Cybersecurity Handbook says stand-alone cyber policies are a new addition to the insurance market.
It’s likely that many firms are already covered against some cyberincidents, at least partially, by their general or professional liability insurance, he says.
This means if there is a cyberbreach by a third-party vendor, for example, malpractice insurance should cover data loss in the provision of services. However, these policies can create coverage gaps, depending on the incident.
On account of these gaps, Kalinich thinks having a separate cyber insurance policy can help. The first benefit regards business interruption. The Rhode Island case “specifically illustrates the difference between general liability and professional liability in lost billings,” Kalinich says.
He says most general policies are silent about business interruption caused by a cyberincident, “and that’s where the cyber policy comes in for a law firm.”
Similarly, he says kidnap and ransom policies are beginning to see claims because of ransomware attacks, so insurers are excluding cyber-related ransom from this coverage.
Lastly, Kalinich says cyber-specific plans can cover investigation and remediation of an IT disruption, which can cost hundreds of thousands of dollars and will likely not be covered by general or professional liability plans.
“Cyber coverage should be an enhancement” to existing insurance policies, says Verne Pedro, an attorney at Merlin Law Group in Red Bank, New Jersey. “You want to make sure that all the policies that you have are working together.”
Beyond coverage found in traditional professional insurance, cyber policies also may cover related costs, such as paying fines from federal and state regulators, recouping public relations expenses, sending notifications to those affected by the breach, and hiring a breach coach to manage an incident’s fallout
There is no definitive number of how many lawyers or law firms are covered by some form of cyber insurance, says Jim Rhyner, president of Navigators Pro, a division of Navigators Insurance Co., and co-author of an article in the second edition of The ABA Cybersecurity Handbook.
He surmises that 10 to 15 percent of law firms have stand-alone cyber insurance policies. However, according to Rhyner, underwriters are projecting 30- to 50-percent increases in coverage this year compared to last year, which is significant growth.
Fitch Ratings, a credit rating agency, reported that insurers wrote $1.35 billion in premiums for cyber insurance in 2016, a 35 percent growth over the year before.
Meanwhile, a 2017 report from insurance company Hiscox Ltd., which analyzed businesses in Germany, the United Kingdom and the United States, reported that 55 percent of 1,000 U.S. businesses surveyed had taken out a cyber policy. This was 19 to 25 percent higher than companies surveyed in the U.K. and Germany, respectively.
This article was published in the June 2018 issue of the ABA Journal with the title "Are You Covered? Cyber insurance has become a must-have for lawyers, but the still-nascent market is highly unstable and lacks uniformity."