Cybersecurity is amongst the fastest growing segments of the insurance industry. Many industries are realizing that their data is one of their most valuable, and vulnerable, assets. The Panama Papers is an example of how a law firm can be susceptible to cyber hacking.
Most law firms will have dozens of smartphones and laptops, exchange confidential information via email and carry printed client information. Furthermore, employees may use personal devices to access company servers and be very casual about leaving their machines/phones unattended. Taken all together, this could be a hacker’s dream come true.
A lawyer’s Professional Liability policy would typically not cover cybersecurity-related incidents, thus leaving a massive risk exposure.
Why lawyers need cybersecurity insurance
Any company that holds lots of confidential client information should consider cybersecurity coverage. Attorneys, in particular, are entrusted with highly confidential information, such as privileged details about cases, financial/health records, and personal client details. As a result, lawyers make for ideal targets.
The loss of data could be a result of a malicious attack, theft of a phone or laptop, or even a careless email attachment. A carefully crafted cybersecurity insurance policy could protect a firm against each of these risks.
How cybersecurity insurance protects lawyers
The coverage is for direct costs incurred by the insured company, not for costs that come as a result of lawsuits or regulatory demands/fines. The most common types of claims on this type of policy include:
- Notification costs: Notifying clients and partners of the breach
- Forensics: Legal and forensic help to triage the breach, and meet any regulatory requirements
- Client services: Credit monitoring and identity management services for clients and partners. This is particularly important if payment credentials (e.g., credit cards) or SIN numbers were breached
- Extortion: Paying extortion or blackmail costs in case the data is held hostage
- Data recovery: Costs associated with recovering lost client files and other valuable data
- Crisis and brand management: Hiring a public relations firm for crisis and brand management
- Business interruption: Coverage to protect against lost income or revenue that occurred as a direct result of the breach (e.g., additional staff, new office space, contract services)
Key Things to Watch For
Every policy is different, but there are some critical elements to watch for in a cybersecurity policy. Like many legal documents, an insurance policy can be extremely length, with a lot of the wording focused on what is not covered, versus what is covered. However, the following are a few key elements to watch out for in your cybersecurity insurance policy
1. Trigger for the policy to respond: Make sure you understand what incidents will result in your policy responding. Some policies require a loss to have occurred, while others require a lawsuit to have been filed. The former is preferred since it provides more flexibility.
2. Sub-limits for each coverage. The top-line coverage limit (e.g., $5M) may not be the same limit for each coverage in your policy. There will almost always be “sub-limits” for specific coverages. Make sure you review the list and that you are comfortable with the coverage offered.
3. Unauthorized access versus failure to protect: The most commonly cited breach is caused due to an outside agent intentionally gaining unauthorized access. However, if your policy only responds in such cases, you may be left exposed. You want a policy that also covers cases where confidential information is released without unauthorized access, such as a lost hard-drive, stolen papers or accidental emailing of a spreadsheet.
4. Electronic versus paper records. Some policies limit coverage to electronic data, such as emails and computer databases. However, this means that loss of paper notebooks would be excluded. It is safest to have a policy that covers both electronic and paper records.
5. Choice of counsel. Some policies require that the insured party hire only from within a subset of lawyers pre-approved by the insurance company. Of course, this limits your choice, and thus it is ideal to be able to select the counsel of your choosing.
6. Retroactive coverage. A cybersecurity insurance policy will typically have a “retroactive date”, which means all losses going back to that date would be covered, but anything prior to that date would be excluded.
As you evaluate a cybersecurity insurance policy, keep the above points in mind to make sure you find the most appropriate coverage. Ask your insurance provider to explain your insurance policy to you in plain English to make sure you understand what you are purchasing. You wouldn’t sign a contract without reading it: the same should be true about your cybersecurity insurance policy.
Zensurance is Canada’s leading online commercial insurance broker. We offer a full range of insurance products to small businesses, with a particular focus on digitizing businesses and technology startups. We understand what it is to work with new technology, and know the most common risks of which you should be aware. Based on that (and a lot of analytics), we recommend the ideal insurance coverage for your business.