[BreachExchange] Amid Hacking Threats, Law Firms Turn to Cyber Insurance

[Audrey McNeil]

http://www.americanlawyer.com/home/id=1202752692874/Amid-Hacking-Threats-Law-Firms-Turn-to-Cyber-Insurance?mcode=1202616040436&curindex=1&slreturn=20160222131253

With news of crippling cyberattacks against big companies making regular
headlines, more and more law firms are buying cyber insurance to cover the
cost of a data breach.

According to insurance brokerage Aon, more than 60 out of the 250 medium
and large law firms that it services have purchased cyber insurance within
the last two years. Marsh said that close to 40 percent of its roughly 100
large law firm clients have purchased the insurance, up from 20 percent two
years ago.

Insurance professionals say the uptick is driven by an increased awareness
of the threat of a data breach or hack, as well as a realization that
existing law firm insurance policies don’t cover all the costs that could
result from such an attack.

“A lot of firms were under the impression that professional liability would
pick up almost anything. This is not the case,” said Tom Ricketts, a senior
vice president and executive director at Aon. “This has been one of the
major debates that we’ve had with law firms over the last two years.”

The policies that law firms typically carry, such as lawyers’ professional
liability insurance, general liability insurance and property insurance, do
not always provide coverage when employee rather than client data is
compromised, or when the firm must hire a forensic team to determine what
data was lost and how. They also most likely won’t cover the cost of
notifying regulators or engaging a public relations firm.

Cybersecurity insurance policies are designed to cover those costs. This
type of policy has been around since the late 1990s, but previously it was
mostly purchased by banks and retail companies.

“For law firms, that awareness of it has hit a tipping point,” said Greg
Vernaci, a senior vice president and head of cyber at AIG. “That’s why
they’re buying more and more of this.”

Without getting into specifics, Vernaci said the rate at which law firms
are buying cyber policies goes up every year.

Daniel Garrie, co-head of the cybersecurity practice at Zeichner Ellman &
Krause, identified another factor that is pushing firms to buy cyber
insurance. “Their clients are compelling the action,” Garrie said. “They’re
requiring the law firms to have cyber insurance as a matter of business.”

Insurance professionals said that cyber policies are complicated and vary
dramatically as insurers seek to differentiate themselves from their
competition. They also change regularly as the threats evolve.

“2016 is the year of ransomware and cyberextortion,” Vernaci said,
referring to a hack in which cybercriminals freeze a company’s online
systems and demand payment to unfreeze them. In a recent example, the Los
Angeles County Department of Health Services lost control of its computers
in a ransomware attack, the Los Angeles Times reported. The county did not
pay the ransom demanded.

Vernaci said he has seen a large law firm subject to this type of attack
recently, though he declined to name the firm. He emphasized that many
industries are being targeted, not just law firms or health care providers.

Just as policies vary dramatically, so do their prices, Ricketts said. But
he offered what he called “a very, very loose rule of thumb”: A policy
should cost $10,000 to $15,000 for each $1 million of limit.

In other worlds, a firm can expect to pay between $20,000 and $30,000 per
year for a cyber policy that will cover up to $2 million in expenses.

Ricketts estimated that law firms with fewer than 50 attorneys are
typically buying insurance with a $2 million limit; midsize firms are
looking at policies with limits between $3 million and $5 million; and
firms with over 500 lawyers might buy policies that pay out $10 million or
more.

Cyber policies can cover the cost of a breach response team, which
typically includes security consultants and a lawyer to guide the company
through the response process, as well as the loss of revenue attributed to
the breach. The policies can also cover expenses associated with a
ransomware attack and lawsuits resulting from an attack that causes the
loss of data.

Bob Parisi, a managing director at Marsh, said cyber policies also provide
extra services, or “things like forensic services, loss prevention
services, access to experts to help you become less risky.”

While any company can be the target of a cyberattack, law firms are unique
in the breadth of the information they store, said Scott Broome, a senior
vice president at Marsh.

“They handle all of their engagements under privilege,” he said. “And the
information that they hold is extremely valuable.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160322/0cd45e1c/attachment.html>