Are you covered? Cyber insurance market is highly unstable and lacks uniformity
Even with this growth in cyber coverage and premiums in the commercial industry, some noncommercial insurers covering attorneys’ cyber liabilities are passing on the coverage at little to no cost to their clients, such as the Attorneys’ Liability Assurance Society and the Oregon State Bar’s Professional Liability Fund.
At ALAS, an insurer owned by the law firms it insures, Scott Burns, senior vice president of member services, says he would explain to firms that “the most realistic and likely exposure to lead to loss for the firm would be a data breach or hack that would result in the loss of client data.” Most of those losses, he says, would be covered by the firm’s traditional professional liability policy.
That was more than enough for some firms. However, he says other firms want more comfort.
To meet that demand, the company added a cyber endorsement, which is like a rider, in 2015 at no extra cost. However, even with the new endorsement, he says cyberbreaches are not where ALAS sees claims.
“Cybersecurity is important, and the risk is there,” he says. However, “it’s not what causes our underwriting losses.” Burns says losses are led by other claims under professional liability coverage, such as lawyers’ mistakes and misconduct.
The Professional Liability Fund, the mandatory provider of primary malpractice coverage in Oregon, began to offer cyber coverage as part of its excess insurance in 2013. At about $35 per attorney insured per year, the price beats most stand-alone policies, says Emilee Preble, lead underwriter at the PLF.
As of July 2017, there had been only eight claims under the new policy, according to a report by Preble. She says “most of those claims had to do with lost and stolen devices.”
These claim numbers may be unique to Oregon attorneys. The PLF’s underwriter, Beazley Insurance Company Inc., reported in a study earlier this year that 36 percent of more than 2,600 studied breaches across industries happened last year because of hacks or malware, while losing a device accounted for 6 percent of breaches.
Regardless of the types of breaches, Burns and Preble say clients of law firms are demanding that the firms have more cyber coverage. In Oregon, Preble says she sees clients pushing law firms to have higher cyber coverage limits than their standard excess policy.
Even with growing pressure from clients, there’s reason to be cautious before running out and buying an off-the-shelf plan. “It’s like the Wild West,” says Rhyner of Navigators Pro.
With each carrier writing its own policy, there is no standard. This means applications and fundamental terms, such as “cyberincident,” will vary from insurer to insurer.
Definitional conflicts are leading to litigation in some cases. In one example, Medidata Solutions Inc., which provides cloud-based services to scientists undertaking medical trials, was phished in 2014. This social engineering attack led to the wire transfer of about $5 million to the criminals.
The company had an insurance policy with crime coverage through Federal Insurance Co., which included computer and fund transfer fraud. The insurer, however, refused to pay, arguing that the phishing scam did not constitute a “fraudulent entry” of Medidata’s system because it was done through email and therefore did not meet the policy’s definition of computer fraud.
Judge Andrew L. Carter Jr. of the U.S. District Court for the Southern District of New York was not persuaded by this or other arguments made by Federal Insurance. He granted Medidata’s motion for summary judgment and awarded $5.8 million to the company in damages and accrued interest. The case is currently on appeal in the 2nd U.S. Circuit Court of Appeals at New York City.
Beyond definitions, prices will vary as well, possibly at a higher cost for lawyers.
“The legal sector is considered a higher risk than many others but not as high as some,” says Damian Caracciolo, vice president of the executive protection practice at Cbiz Inc., a financial services company. “The cost is driven by the carrier’s cost per stolen record in that specific industry in the event of a claim.”
He says costs also will be affected by the type of data held by the firm, the firm’s primary practice areas, and how data is retained.
The size of a firm and number of attorneys covered also will affect costs, says Mike Tanenbaum, an executive vice president at insurance company Chubb, the preferred provider of cyber liability insurance for the ABA.
Naturally, the amount of coverage will affect cost as well, he says. Chubb, for example, has coverage limits that range between $5,000 and $100,000,000. However, Tanenbaum says, “as law firms’ cyber insurance buying patterns evolve, so does the coverage and evolution of limits.”
To ensure the best pricing, Caracciolo says it is important to get numerous quotes.
5 STEPS TO SUCCESS
Still, shopping for cyberinsurance can be overwhelming, says Judy Selby, a cyber insurance consultant and attorney based in Charlottesville, Virginia. To get a handle on this issue, she recommends five steps a firm can take to assess and choose a proper policy.
First, a firm has to know its liabilities and the threats it faces. This can be accomplished through internal or third-party threat assessments of the firm’s security. It also can be accomplished by filling out a thorough cyber insurance application required by many carriers
Second, firms must assess existing insurance policies to make sure a separate cyber policy does not create overlapping coverage, which can generate trouble when trying to make a claim later, Selby says.
Third, the application forms should be filled out with a multidisciplinary team at the firm that can answer legal and technical questions accurately. The last two steps require the firm to pick the right policy for its needs and understand its obligations regarding disclosure, liability and notice.
As pressure mounts on firms to get cyber insurance, either due to growing threats or client demand, this extra effort can help make sense of this dynamic and fluid market.
Finding the right policy will be worth it, Selby says. Having the insurance provide support, such as a breach coach after an incident, alleviates a lot of problems. “It saves money; it saves time; it saves your reputation,” she says. “It’s better for everybody.”
This article was published in the June 2018 issue of the ABA Journal with the title "Are You Covered? Cyber insurance has become a must-have for lawyers, but the still-nascent market is highly unstable and lacks uniformity."