Cyber insurance: A necessity for law firms

Few insurance products are met with as much scepticism from lawyers as cyber insurance. Lawyers like concepts to be expressed clearly in words: what does ‘cyber’ even mean?

Such policies are littered with new-fangled jargon, and no two adopt precisely the same. There is also a common perception that many cyber risks are covered under traditional policies, notably the famously wide minimum terms and conditions of PII. This is a pity, because cyber insurance – while not to be seen as a substitute for IT security – offers valuable protection from increasingly real and imminent exposures.

A typical cyber policy is a miscellany of different coverages. Many people identify ‘cyber’ with ‘data protection’, but that’s only part of the picture. First-party coverage includes:

• Data breach response – covering forensic costs of addressing a breach; the costs of notifying data subjects and the Information Commissioner’s Office; legal costs regarding notification; PR costs to mitigate the reputational damage; call centres; and credit monitoring or ID protection for data subjects;

• Cyber extortion – covering the costs of investigating, negotiating with, and potentially paying ransoms;

• Network interruption – covering lost income arising from unavailability of IT networks and ongoing or increased costs of working;

• Data restoration – restoring data following a data breach or cyber attack;

• Data protection regulatory defence and fines – covering costs in liaising with the ICO and fines;

• Fraudulent funds transfer – covering funds transferred to criminals through impersonation; and

• Reputational harm – covering the value of lost client contracts or lost income arising from adverse publicity.

Third-party coverage includes:

• Network security liability – covering claims arising from defective cyber security and transmission of malware;

• Privacy liability – covering claims for misuse of private information (as in

• Vidal-Hall v Google); andMultimedia liability – covering claims for online infringement of IP rights and defamation.

Do firms need any of this? The simple answer is yes. Thankfully, all but the most Luddite firms recognise that no IT security is perfect: all organisations will experience hacks, breaches, and outages.

Even when a client base is predominantly corporate, consideration needs to be given to personal data relating to litigants, witnesses, directors and officers, or individuals whose data is stored on fraud databases. Outsourcing the processing of such data in no way absolves the firm itself from legal or reputational responsibility.

The most common claims arise from ransomware attacks. This malware locks screens or encrypts files before a decryption key is offered by the extortionists in return for a ransom. Security experts estimate that such attacks increased five-fold in the 12 months up to March 2016, while 69 per cent of professionals believe their organisation will be targeted in the next 12 months. As with data breaches, the direct costs are often dwarfed by the potential reputational impact.

The profession has a touching faith in the panacea-like qualities of PII. Traditional ‘loss of documents’ extensions in PII policies have evolved to cover restoration of electronically stored data. Data restoration clauses are of little appeal to firms. Fraudulent funds transfer cover can also sometimes be found as a bolt-on to PII policies.

Lawyers’ faith in broad civil liability insurance is arguably less well founded, however. Though the language in such clauses is exceptionally broad, the underlying context for such cover is often overlooked. Even insurers can casually agree that third-party cyber claims will be picked up by PII. But where the sums in dispute are large enough, we’ve seen instances of insurers arguing that claims arising out of, for example, the transmission of a virus, arise not out of the conduct of the policyholder’s professional services, but rather out of ancillary business operations. In short, lawyers are wrong to assume that network security or privacy claims will be met without demur by their PII policy.

Seen as an inexpensive and convenient approach, cyber insuring clauses are often bolted on to PII policies. However, if non-specialist insurers with inadequate understanding of risk add such bolt-ons for little additional premium, will they hold sufficient reserves? Insurers with a toxic book are more likely to delay settlement of claims. Also, claims teams with no cyber background are less likely to handle claims effectively.

Perhaps more importantly, lawyers should consider whether they really want to erode their PII limits of indemnity or create problems with their renewal due to unrelated cyber exposures.

A combination of a soft market, relatively low claims experience, and a relaxed data protection regime means cyber insurance is surprisingly inexpensive. Get those rates while you can.

Jamie Monck-Mason is an executive director in Willis Towers Watson’s cyber and TMT team

@WTWcorporate www.willistowerswatson.com