With news of crippling cyberattacks against big companies making regular headlines, more and more law firms are buying cyber insurance to cover the cost of a data breach.
According to insurance brokerage Aon, more than 60 out of the 250 medium and large law firms that it services have purchased cyber insurance within the last two years. Marsh said that close to 40 percent of its roughly 100 large law firm clients have purchased the insurance, up from 20 percent two years ago.
Insurance professionals say the uptick is driven by an increased awareness of the threat of a data breach or hack, as well as a realization that existing law firm insurance policies don’t cover all the costs that could result from such an attack.
“A lot of firms were under the impression that professional liability would pick up almost anything. This is not the case,” said Tom Ricketts, a senior vice president and executive director at Aon. “This has been one of the major debates that we’ve had with law firms over the last two years.” The policies that law firms typically carry, such as lawyers’ professional liability insurance, general liability insurance and property insurance, do not always provide coverage when employee rather than client data is compromised, or when the firm must hire a forensic team to determine what data was lost and how. They also most likely won’t cover the cost of notifying regulators or engaging a public relations firm. Cybersecurity insurance policies are designed to cover those costs. This type of policy has been around since the late 1990s, but previously it was mostly purchased by banks and retail companies.
“For law firms, that awareness of it has hit a tipping point,” said Greg Vernaci, a senior vice president and head of cyber at AIG. “That’s why they’re buying more and more of this.”
Without getting into specifics, Vernaci said the rate at which law firms are buying cyber policies goes up every year. Daniel Garrie, co-head of the cybersecurity practice at Zeichner Ellman & Krause, identified another factor that is pushing firms to buy cyber insurance. “Their clients are compelling the action,” Garrie said. “They’re requiring the law firms to have cyber insurance as a matter of business.”
Insurance professionals said that cyber policies are complicated and vary dramatically as insurers seek to differentiate themselves from their competition. They also change regularly as the threats evolve.
“2016 is the year of ransomware and cyberextortion,” Vernaci said, referring to a hack in which cybercriminals freeze a company’s online systems and demand payment to unfreeze them. In a recent example, the Los Angeles County Department of Health Services lost control of its computers in a ransomware attack, the Los Angeles Times reported. The county did not pay the ransom demanded.
Vernaci said he has seen a large law firm subject to this type of attack recently, though he declined to name the firm. He emphasized that many industries are being targeted, not just law firms or health care providers.
Just as policies vary dramatically, so do their prices, Ricketts said. But he offered what he called “a very, very loose rule of thumb”: A policy should cost $10,000 to $15,000 for each $1 million of limit. In other worlds, a firm can expect to pay between $20,000 and $30,000 per year for a cyber policy that will cover up to $2 million in expenses.
