Cyber liability insurance is a relatively new and still-evolving product. Some researchers currently argue that small to medium businesses (SMBs) or “late adopters” are the most in need of the protections it can afford. Here’s a primer to help you sort out whether cyber insurance is right for your business clients—or your own firm.
This article is intended to serve as a cursory primer on the cyber insurance product, and is divided into two parts: (1) what you may need to know for your corporate clients; and (2) whether cyber insurance is something your firm may itself need.
Cyber insurance is a relatively nascent insurance product intended to cover costs arising from hacking, cyber attacks, and data breaches. The cyber insurance market is reportedly growing at 38 percent annually,1 dominated by ACE Ltd., AIG, the Beazley Group Ltd., Chubb Corp., and Zurich Insurance Co. Ltd. at the time of this writing. And Berkshire Hathaway Specialty Insurance just announced entry into the market.2 Losses—only some of which are “typically” covered, depending on the policy—can include the costs of a forensic investigation, remediation of the vulnerabilities, business interruption, lost profits,3 share capital devaluation, data breach notifications, stolen funds, regulatory fines,4 brand impact, civil suits by third parties or shareholders,5 and loss of goodwill.
But then, there’s nothing “typical” about the world of cyber insurance. Because of the lack of actuarial data,6 cyber insurance premiums and payment on claims are anything but certain.7 As William Hugh Murray wryly observed, “Premiums are not comparable or competitive; they are not paying many claims. Policies are artfully written.”8 Another commentator laments, “Cyber insurance does not increase security and in many cases is not even reducing liability, because premium costs and deductibles often add up to more than what will be paid out in the event of a breach. And that doesn’t even include the lost opportunity costs if the premiums were instead spent on actually getting more secure.”9 And matters might be getting worse: Reuters reports that insurers are raising deductibles or limiting the amount of coverage to $100 million, despite the fact that losses from attacks can cost more than twice that.10 Average rates for many firms leaped 32 percent in the first half of 2015, according to Marsh & McLennan.11
By way of example, Target Corporation announced in February 2015 that it expected insurance to cover about $44 million—only a fraction—of its breach-related losses.12 The average cost of a data breach has risen to $3.8 million, a 23 percent rise from the prior year, according to the Ponemon Institute’s latest study.
To the foregoing opinions, I might add that not all risk is transferrable: In the event of a security incident, the resulting loss of reputation, goodwill, competitive advantage, and future customers may not be immediately, if ever, quantifiable or compensable.
But there may be light at the end of this seeming tunnel of despair: According to a report issued by PricewaterhouseCoopers in September 2015,13 policyholders (in addition to the commentators mentioned above) are questioning the value of the coverage, and, “[T]here is a real risk that a disruptor will move in and corner the market with aggressive pricing and more favorable terms.”14 Paul Delbridge, insurance partner at PwC, also said, “There is also a possibility that overly onerous terms and conditions could invite regulatory action or litigation against insurers.”15
The very next day—no sooner than the proverbial ink had dried on that PwC press release—BitPay sued Massachusetts Bay Insurance Company for denying a claim arising from $1.8 million in losses resulting from a spearphishing campaign, because the insurance company claimed that the loss must be the direct result of the use of a hacked insured’s computer to fraudulently transfer money, and that the policy does not afford coverage for “indirect” losses caused by hacking into the computer system of someone other than the insured.16
Cyber Insurance for Your Clients
According to some researchers, small to medium businesses (SMBs) or “late adopters” are the most in need of cybersecurity insurance. “Small businesses don’t make enough to have an internal security program,” one such researcher is quoted.17 He continues, “If you are a large company with a [governance, risk, and compliance program], technical security program, and incident response team, you are basically ‘self-insuring.’”18
If your portfolio includes corporate clients, or if you are general counsel, you doubtless are already familiar with both privacy and regulatory compliance requirements. And you may one day learn that obtaining cyber insurance coverage is no longer optional: Your clients, including SMBs, may be required by contract with their customers (such as financial institutions) to have cyber insurance. But even if it remains optional, you should become familiar with the potential utility that cyber insurance may provide. To understand its utility, practitioners should use a risk management approach, the very same urged by NIST in its Cybersecurity Framework, as well as the industry standard information security control sets (ISO 27001, COBIT 5, etc.).19
Risk generally is understood as probability multiplied by impact. Probability (or “likelihood”) is a value that weighs several factors. These factors include the desirability of the asset (for example, a database, server, or network), the level of sophistication required to exploit a vulnerability (easy vs. difficult), the ubiquity of the exploit (is it published or known only to a select few?), and the attack surface (must an attacker be in front of the server keyboard, or can it be exploited from the internet without setting foot in your client’s data center?), among others. Impact is likewise a value that involves several factors. These factors include whether your client will suffer an interruption to business, whether an incident requires mandatory reporting to a regulatory authority or customers, whether an incident may result in a regulatory fine or other costly regulatory compliance responses, whether there is a financial loss, inter alia. The ultimate risk value can be lowered by the presence of mitigating controls, if any.
At the conclusion of the risk assessment process, which is likely to involve assessments of multiple systems or processes, the organization should have a better understanding of the prioritization of what needs to be protected, the likelihood of a loss, the potential impact of a loss, and the investments required to manage the risk.
There are four generally accepted ways to manage risk: (1) risk mitigation (taking action that reduces the risk, such as implementing compensating controls); (2) risk avoidance (stop doing the activity that incurs the risk, such as by decommissioning an older unsupported or unpatchable system); (3) risk acceptance (require a responsible party to understand and accept the risk as a cost of doing business); or (4) risk transfer (transfer the risk, by having a third party, such as a vendor, host the system or process, or by having an insurance company indemnify losses in the event of a security incident). The risk assessment process might prompt the organization’s leadership to mitigate the risk by fixing the problem (that is, improving security posture), rather than purchasing cyber insurance.
Cyber insurance, on the other hand, is a type of risk transfer. Risk transfer is not acceptable for every kind of security incident: In regulated industries, risk transfer is not a substitute for an adequate cyber security program, and it is never a substitute for responsible corporate stewardship. Even in non-regulated industries, risk transfer can do little to rectify harm to a company’s brand or goodwill. But, wherever in the spectrum your client’s business falls, risk transfer—and cyber insurance in particular—may be the right solution to address certain risks that cannot otherwise be immediately mitigated or avoided.
In addition to the possible categories of coverage mentioned in the Introduction, above, cyber insurance is one way to get an otherwise obdurate or frugal client to be subjected to an information security audit, because underwriters will require the client to be assessed by an independent third party. In addition, the product offered by some providers, such as Beazley, “includes forensic and legal assistance, notification of up to 5 million affected individuals and optional three bureau credit monitoring services or identity monitoring services for notified individuals, along with loss prevention services and identity theft-related fraud resolution services.”20 Although such products do not absolve a company from developing and documenting incident response or business continuity plans, it certainly can be a substantial part of both, and may be an attractive choice for smaller companies, such as startups, that lack the wherewithal to have developed such plans.
Finally, be aware of the exclusions or pretexts under which an insurer may not pay a claim. These may include no retroactive vulnerabilities (if the vulnerability or actual breach predated the policy), terrorism or act of foreign enemy (consider that attribution of a cyber attack is usually difficult or impossible, and an insurer arguably could rely upon an unproven assertion by a government official blaming a state actor), and negligence, which leads to a possible dispute over what the minimum standard of due care was, and whether the insured met that standard.21 You will also want to evaluate the effect, if any, that contracts your client has with vendors (for example, by outsourcing IT operations) may have on the coverage.
Cyber Insurance for Your Firm
The need for a law firm to obtain cyber insurance may be contractual (such as now required of firms by some financial institutions), but for the same reasons as those of the firm’s corporate clients, it may just be good risk management. It may also complement the lawyer’s obligations under the Rules of Professional Conduct.
Minnesota recently adopted rule changes from the ABA’s 20/20 Ethics Commission, some of which concern the lawyer’s obligations regarding technology, confidentiality of client information, and entrustment of that data to third parties. The most notable of these changes,
itemized below, have obvious relation to the possible utility of cyber insurance.
M.R.P.C. 1.1, Comment :
“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
M.R.P.C. 1.6(c), Comment :
“The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these Rules.”
M.R.P.C. Rule 5.3, Comment 
“A lawyer may use nonlawyers outside the firm to assist the lawyer in rendering legal services to the client. Examples include the retention of an investigative or paraprofessional service, hiring a document management company to create and maintain a database for complex litigation, sending client documents to a third party for printing or scanning, and using an internet-based service to store client information. When using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations. The extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality. (Internal references omitted.) When retaining or directing a nonlawyer outside the firm, a lawyer should communicate directions appropriate under the circumstances to give reasonable assurance that the nonlawyer’s conduct is compatible with the professional obligations of the lawyer.”
The gist of these rules changes is that competency now requires an understanding of the benefits and risks of technology as well as the use of “reasonable efforts” in maintaining client confidentiality and in requiring nonlawyers, including vendors, to adhere to the same professional practice standard.
Ascertaining what is reasonable is best done using the risk management approach discussed above. Consider that law firms are vulnerable to liability-incurring breaches for three reasons, as Lommen Abdo lawyers Keith Broady and Bryan Feldhaus explain:
(1) law firms maintain large volumes of confidential client information that can include financial account information, confidential personal identifiers, such as social security numbers, and other client financial and personal information; (2) law firms may not have implemented sufficiently-robust systems to prevent the inadvertent and/or unauthorized disclosure of client information; and (3) the mobile technology used by lawyers has diversified the platforms on which client information is stored and may increase the probability that an inadvertent or unauthorized disclosure will occur. As a result, law firms must remain vigilant about the type and manner of technology used in their practice, and should constantly monitor and assess the use of that technology.22
The question, then, is how does cyber insurance complement malpractice insurance? Lawyers Professional Liability (LPL) insurance policies, subject to their terms, conditions and exclusions, are intended to apply to claims brought against the lawyer or firm arising from professional services to clients or other third parties to whom the firm owes a fiduciary duty. Because both the rules of professional conduct, supra, and fiduciary obligations require the protection of confidential data from unauthorized disclosure (breach), the failure to do so would be a breach of the duty of care for which LPL coverage likely would apply.23 LPL policies, however, are not intended to cover the insured’s losses, for which cyber insurance is intended,24 and these may include:
- Data breaches not involving client claims or associated with any client services;
- Claims by third party vendors;
- Claims brought by employees for unauthorized disclosure of their personal information;
- Fines and penalties;
- Loss of firm goodwill or reputation;
- Loss of firm revenue caused by a disruption to the firm’s services;
- Incident response expenses covering forensic examiners and experts to ascertain the extent of the breach, the root cause, what data was compromised, regulatory requirements that must be fulfilled, and remediation of the vulnerabilities.
Cyber insurance has a potentially important role in risk management, corporate stewardship, and professional practice standards. Whether it may be needed by your corporate clients or your firm or both, becoming informed about cyber insurance offerings, how to avoid the pitfalls, and how they complement malpractice and general liability coverages is one certain way to distinguish yourself and your practice from the rest. Use the risk assessment process incident to evaluating cyber insurance to identify the assets most in need of protection, and as a way to raise awareness for more desirable risk outcomes, namely mitigation or avoidance. If cyber insurance is the chosen option for one or more of those risks, you will have the very important task of reviewing the policy language to fully understand the terms, conditions, and exclusions of the policy.
Sean Harrington is a cyber security attorney and digital forensic examiner with a background in software development lifecycle, information security, corporate governance, corporate investigations, government relations, regulatory affairs, and the financial and healthcare sectors. He is admitted to the state bars of California and Wisconsin, licensed by the Texas Private Security Bureau to practice digital forensics, and resides in Minnesota.
1 Aon PLC Insurance Risk Study, 9th Ed. (2014) at 19. (“Aon Risk Solutions has seen cyber premium rise at a compound annual growth rate of 38 percent over the last five years, according to data from the Aon GRIP platform”).
2 Doug Olenick, “Berkshire Hathaway Specialty Insurance enters cyberinsurance arena,” SCmagazine (Oct. 06, 2015).
3 Jennifer Bjorhus, “Target’s 4Q profit falls 46% after breach, Canada expansion,” Star Tribune (2/27/2014).
4 Malathi Nayak, “U.S. FCC imposes $25 million fine on AT&T over customer data breach,” Reuters (4/8/2015)
5 See, e.g., Kevin LaCroix, Target Directors and Officers Hit with Derivative Suits Based on Target Breach, The D&O Diary (February 03, 2015), last retrieved from http://www.dandodiary.com/2014/02/articles/cyber-liability/target-directors-and-officers-hit-with-derivative-suits-based-on-data-breach/.
6 “Where Cyber Insurance Underwriting Stands Today,” Insurance Journal (6/12/2015).
7 See, e.g., Lisa Vaas, “We don’t cover stupid, says cyber insurer that’s fighting a payout,” NakedSecurity ((5/28/2015); Paul F. Roberts, “Cyber Insurance: Only Fools Rush In,” ITworld (10/27/2014).
8 SANS NewsBites Vol. 17 No. 076 (9/29/2015).
9 John Pescatore, SANS NewsBites Vol. 17 No. 076 (9/29/2015).
10 Jim Finkle, “Cyber insurance premiums rocket after high-profile attacks,” Reuters (Oct. 12, 2015).
12 SEC Form 8K filed by Target Corp., 2/25/2015.
13 “Insurance 2020 & beyond: Reaping the dividends of cyber resilience,” available from http://www.pwc.com/gx/en/industries/financial-services/insurance/publications/insurance-2020-cyber.html.
14 Press release, “Cyber insurance market set to reach $7.5 billion by 2020 — PwC report.” (9/14/2015).
16 Smith, “Cyber insurance rejects claim after BitPay lost $1.8M in phishing attack,” Network World (9/21/2015).
17 Jesse Staniforth, “Into the spotlight: Cyberinsurance” SCmagazine (10/1/2015).
19 Ibid (“Any organization considering insurance needs to conduct a thorough risk assessment to understand what that insurance will be used to protect, and therefore what kind of investment it will require,” quoting Adam Shostack, author of Threat Modeling and the New School of Information Security).
20 Cyber/Breach Response brochure, Beazley USA Services, Inc., available from http://amwins.com/SiteCollectionDocuments/Premier%20Documents/CYBER%20Program%20Overview%20BEAZLEY%20R1.pdf
21 See, generally, Ericka Chickowski, “10 Things IT Probably Doesn’t Know About Cyber Insurance,” DarkReading (10/23/2014).
22 Broady & Feldhaus, Downloading Technology in Legal Practice: Amendments to the Rules of Professional Conduct (6/1/2015), available from http://www.lommen.com/Firm-News/Seminars/Downloading-Technology-in-Legal-Practice.aspx
23 Discussion Paper: Lawyers Professional Liability Insurance Versus Cyber Liability Insurance, Endurance Insurance (available from http://endurance.bm/sites/default/files//files/Endurance%20Insurance%20-%20Discussion%20Paper%20-%20LPL%20vs%20Cyber.pdf)