Articles
Bench & Bar of Minnesota is the official publication of the Minnesota State Bar Association.

Managing Cyber Risk: Is cyber liability insurance important for law firms?

Cyber liability insurance policies are growing in popularity among organizations that store client data, but in my experience those who have them are probably just as confused about what they cover as those who decide to go without. Generally described, cyber liability insurance is meant to protect businesses and organizations from cybersecurity risks posed by their internet and technology infrastructures. 

As we know, cybersecurity risks are multifaceted and damages often cannot be accurately quantified or fully described by those affected. Several categories of incidents may be considered types of cyber risk, ranging from natural disasters that cause technological failure to internal theft to phishing scams. How can this type of insurance policy a) assess the value of data compromised or b) assess current and ongoing damages with any certainty? When federal laws and regulations are inconsistently applied and enforced, should cyber liability insurance be a requirement for organizations, specifically law firms, that create, collect, and store client data? And how should organizations respond if widespread regulations are ultimately put into place? In this article, I will examine the elements of cyber risk, the role of the security assessment in coverage offerings, and insurance as part of a proactive security approach.

Defining cyber risk 

To start, it should be noted that probably the greatest problem currently facing the cyber insurance market is what exactly constitutes “cyber risk.” There is often a disconnect between what the insurer would describe as cyber risk and what the insured believes to fall under that category. According to the Institute of Risk Management, cyber risk “means any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems.” This broad definition remains open to a number of interpretations involving what constitutes failure of IT systems, where the human element of security comes in, and the scope of damages. The breadth of this definition and the possible categories of risk included leave a lot of room for argument between insurers and insureds.

It should be noted that there are different types of client data that deserve different degrees of protection from cyber risk. The varying risks include but are not limited to business interruption, identity theft, disclosure of sensitive information, technological failure, failed IT processes, and the human element—which encompasses mistakes, negligence, internal theft, and many more associated risks. In the event of a data breach, sensitive client data like Social Security numbers and birth dates are more important than license plate numbers. 

Different organizations have different insurance needs depending on the types of data they manage. Determining which risks they are likely to face also depends on a number of variables—and at the end of day, it’s largely unpredictable. Considering the types of data handled by law firms and the boundaries imposed by attorney-client privilege, law firms may find it more difficult than most businesses to determine the large-scale effects of cyber risk. 

Cyber liability insurance is notably different from other kinds of insurance products (including general liability insurance that covers technology errors and omissions) due to the complex definition of cyber risk. General liability coverage is primarily for technology product and service providers that store corporate data, whereas cyber liability insurance is applicable for any organization susceptible to data breaches, website media liability, and property loss due to cybercrime. Many policyholders believe that cyber risk is another component covered by their general liability policy, only to be surprised when they are told otherwise in the wake of a breach. The relative novelty of cyber insurance has caught a lot of firms and organizations off guard, since cyber risk is now seen as a specialized subset requiring a separate application process and specific coverage.

Quantifying cyber risk-related damages

As demonstrated by its broad definition, the complexity of cyber risk makes for complicated policies and customer expectations. One consideration involves external threats resulting in data breaches. Compromised data may or may not entail subsequent damages or malicious activity against the victim(s). While a firm or organization is always hurt reputationally and financially by a breach, it’s harder to determine how individual victims should be handled and how their damages should be incorporated into a proactive response. In comparison to other kinds of operational losses, the losses associated with cyber risk are both financial and reputational. The damages stemming from cyber risk are fairly nebulous, and incorporating the full scope of the public’s loss and response to a breach is even trickier. If it’s difficult for cyber experts to encapsulate it accurately without leaving anything out, it’s even harder for an insurance company that’s trying to put a price tag on it or an insured who wants the best coverage at the lowest possible price.  

In the growing realm of data breaches, how does one pinpoint which breach led to which attack or subsequent set of damages for individuals? In the wake of the Equifax breach, for example, millions of U.S. citizens panicked over having their personal information stolen. Many of them appeared to believe this was the first and only time their information had ever been breached, and that if they did end up becoming victims, this breach would be responsible.

The fact is, the majority of individuals affected by the Equifax breach probably had already had their information compromised at least once by a previous breach of some kind. If you become a victim of identity theft, it is impossible to say with any certainty which data breach, if any, led to it. (Maybe it wasn’t a data breach at all, but an error on your part that led to information being compromised.) 

While Equifax’s response to its breach was lacking and many of the affected individuals were unwilling participants in having Equifax store their information to begin with, it is still true that assigning blame to any one data breach is not feasible. If someone had their identity compromised as a result of a data breach that occurred in 2015 but only suffered identity theft in 2018 and blamed the Equifax breach, how could it be determined with any certainty or fairness who was responsible and which insurance policy should cover the loss? Identity theft is not a joke; millions of families suffer it every year. But when it comes to assigning blame, it’s truly anyone’s guess. Factoring in victim damages as a result of an organizational breach is another source of ambiguity and confusion when it comes to cyber liability insurance. 

In addition to the accountability problem, it’s also very difficult to assess potential future damages. When client data is personally identifying and permanent, such as a Social Security number, the potential for damages is lifelong. But what about data that doesn’t fall under this umbrella? For a law firm, a breached email account can cause significant financial and reputational damages. But how significant? How does a law firm measure the potential client damages in the wake of a breach, and how should a cyber liability policy be applied when the value of data differs and the greatest loss is arguably reputational? When data breaches cause reputational and financial damage, can a cyber liability insurance policy adequately account for ongoing remediation efforts and possible compensation? Potential future losses, many of them unknown until they occur, pose another serious problem when it comes to the value of cyber liability insurance and its part in counteracting cyber risk.

As the management of cyber risk becomes more regulated at a national level and technology continues to adapt and expand, insurers are also placed at a great disadvantage. The attention brought to cybersecurity issues in the media, paired with the very public fallout of large-scale data breaches and events, makes for a tempestuous legal environment, especially when current laws and regulations are fairly minimal. Given all the variables in play—the cost of insurance policies, the associated application requirements, the pressures of growing regulations and requirements—small businesses and firms especially will be faced with an ever-increasing set of hurdles. Insurers likewise will have to quickly adapt and adjust policies to reflect changing policy and cybersecurity requirements.

For the remainder of this article, I will discuss the security assessment aspects of obtaining coverage, insurance as part of a proactive approach, and the incentivizing of cybersecurity investments.

The role of the security assessment

In my experience, it is a requirement of all insurance companies offering cyber liability coverage that prospective insureds either provide recent security assessment results or pay up front for on-site security risk assessments and consulting. Depending on the company, security assessments can be strenuous or relatively broad, but either way this requirement poses costs that need to be factored into the cost of the overall premium. While security assessments should be regularly conducted within any organization or firm, an insurance company may have extra requirements or may require a more recent security assessment conducted by the third party of their choosing. This is done in an attempt to categorize and quantify potential cyber risks while simultaneously encouraging policyholders to create “cultures of security” that minimize moral hazard or human error risks.

Cyber risks stemming from the human element, rather than technology per se, are arguably much more damaging and widespread. I would argue that the risk stemming from this human element (involving social engineering attacks, internal theft, mistakes, misuse, dissemination of confidential or proprietary data, and the like) seems impossible to measure authoritatively during the course of a routine security assessment. These attacks frequently change and become more sophisticated. The reality of evolving technologies is that the associated risks are always evolving too—but a well-executed security assessment is essential in developing sound written policies and protocols designed to defend against, and respond to, these risks. 

Security assessments associated with this kind of insurance are a critical part of the value that they offer; merely considering the product will bring greater awareness and increase proactive cybersecurity responses within an organization. Creating written policies and procedures is essential in counteracting risks and developing strategies, even if potential damages cannot be fully quantified or assessed. While the cost of regular security assessment and external third-party review of existing baselines should be considered a priority expense, being mindful of any additional requirements, such as upfront consulting and assessment as required by the insurer, is important. 

Insurance as an incentive for proactive security

Cyber liability insurance should always be considered part of a larger edifice, not a singular measure, in protecting your firm against cyber risks. You should always be highly motivated to engage in proactive security measures that aim to protect organizational data, develop strong cybersecurity policies, train employees, incorporate regular security assessments, and institute remediation strategies and protocols. Having an insurance policy should never take the place of actively understanding and strengthening your security posture. Now, I understand—just because someone has car insurance doesn’t mean he or she will not care about getting in a car accident. Agreed. But in the difficult and opaque world of cybersecurity, it may seem to organizations that the brunt of any cyber event would be handled by their insurance policy, making it less of a priority to counteract the risks. When organizations don’t fully understand the extent of potential damages, insurance may seem like a Get out of Jail Free card.  

Conversely, though, many organizations that purchase cyber liability insurance are more prone to invest in cybersecurity measures and develop strong protocols. In addition to the policy requirements, fostering awareness of the potential financial and reputational costs of malicious cyber events is beneficial in establishing an organization’s security culture. Widespread investment in cyber insurance may also serve to help standardize security assessments and develop baseline criteria for proactive and reactive policies. Ultimately, cyber liability insurance requirements may prove to be the main driving force behind security assessment standardization. In this sense, I would suggest thinking of cyber insurance less as a safety net and more as a valuable component of a well-rounded remediation approach. The preparation involved in purchasing cyber insurance is potentially more valuable than the more or less ambiguous coverage it provides.

 

MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 trials. He is a member of the MN Lawyers Professional Responsibility Board.  

Leave a Reply

Articles by Issue

Articles by Subject