Cyber Liability has been an evolving risk for the last twenty years, but the conversations surrounding it have increased due to a surge in cyber-attacks.  Law firms are a frequent target based on the type of information stored and the willingness to comply with demands in order to avoid reputational harm.  To understand how a cyber liability policy can help protect a law firm, it is important to understand the purpose and intent of a cyber liability policy.

In its earliest form, the cyber liability policy covered damages owed because of a breach of Personal Identifiable Information (PII) and/or virus-related claims.  Like a traditional general liability form, it was meant to protect against third party claims as opposed to offering coverage for first party (insured) costs.  Due to the evolution of threats, it now covers numerous first party claims such as cost of forensics, lost revenue (business interruption), data restoration, etc.  It is also common to see cybercrime coverage for issues like extortion attempts, wire fraud and social engineering.

While virtually any business that uses a computer network is at risk for cyber threats (hello all businesses), law firms are especially vulnerable for a number of reasons.  First is the nature of information collected.  Broad cyber policies will not only cover the theft of personal identifiable information (PII) but also third-party corporate information for which the firm is liable.  Law firms have a legal duty to keep client information confidential.  This begs the question of when there is a claim that a firm breached that duty to confidentiality, should that claim be covered by a cyber liability policy or professional liability policy?  That is a good question.  I always recommend looking for a professional liability policy that has no cyber related exclusions, but insurance companies are making that more difficult these days.  It is becoming more common to see cyber exclusions on the professional liability policy, which makes it even more imperative to understand the exclusions in your own policy forms.

Another reason law firms are seeing an increase in claims is due to the uptick of cybercrime. It is common knowledge that law firms have escrow/client trust accounts.  This makes firms a large target for cybercrime.  Cybercrime can come in many forms including extortion, fund transfer fraud, social engineering etc.  Typically, extortion will be covered up to policy limits, but other forms are cybercrime are often subject to much smaller sublimits.  Because there are true crime polices law firms can purchase for these exposures, cyber liability companies try to limit their exposure to this sort of crime.  Again, the original intent of the form was to protect against legal liability for a data or security breach, although one could now argue the cybercrime is just as concerning.

The cyber liability market has tightened up in the last year as the frequency of claims has steadily increased.  COVID-19 has played a significant role with employees suddenly needing to work from home practically overnight.  Employers did not have the time or resources to put proper precautions in place to protect their network.  Due to these claims, premiums have started to increase and underwriting has become more restrictive.  It may be time to make some improvements to your cyber risk management strategy.  Think about including annual training for your employees on common cyber threats.  Many insurance companies offer this at no cost.  Check with your IT provider on if you have access to multi-factor authentication.  That could be the difference in being offered or denied coverage.  The more an underwriter feels confident that a firm is taking proper risk management precautions, the more willing they will be to offer competitive coverage.

Even with the tightening of the market, cyber liability policies are still some of the most robust policies in the marketplace.  Not only do they cover numerous types of claims and losses, but usually come with additional benefits such as reputation protection, breach coaches, training resources, etc.  Law firms will continue to be vulnerable in the future and it will only become more important to evaluate if this product is a fit for your firm.