Coverage Quandary: Is Cyber Insurance Necessary?

It's been a wild year for cyber crimes, with allegations of phone hacking at Rupert Murdoch's media empire, and the arrest of 14 people for alleged attacks on PayPal's website in retaliation for its decision to suspend the account of upstart Web-based public-disclosure operation WikiLeaks.

On top of those incidents, the U.S. Senate, the International Monetary Fund, Lockheed Martin, Citigroup, Google, and Sony were among organizations that disclosed hacker attacks, Reuters reported.

It all may be falling far too close to home for BigLaw firms and corporate counsel, who are beginning to shop for ' or who are at least beginning to ask a lot of questions about ' cyber insurance. Queries include exactly what the policies cover and cost, how insurers quantify losses and whether the policies are necessary.

“There is lots of chatter,” Anne Marie Davine, managing director of Marsh's U.S. law firm practice, says. “Rarely do we have a meeting with clients or potential clients where this topic doesn't come up.”

Marsh's website defines cyber risk as “a wide range of internet and network exposures” that include theft or manipulation of sensitive or private information (e.g., financial or health records); viruses that can destroy data, damage hardware, cripple systems; and computer fraud. See, http://usa.marsh.com/RiskIssues/CyberRisk.aspx.

Not a New Tool, Exactly

Cyber insurance has been around for a decade, but recent trends are prompting people who may have a need for this coverage to take a closer look at cyber insurance and at provisions that can be added to policies to cover a wide range of contingencies. Counsel, particularly for e-commerce firms, also are recommending that their clients look into cyber insurance coverage.

The number of insurers has also increased. One interesting trend that has emerged, and that may make counsel more versed in advising e-commerce clients, is that cyber-insurance providers are starting to offer cyber insurance tailored to the needs of law firms. Davine estimates that there are about a dozen standalone policies from a range of insurers, including AXIS Insurance, Monitor Liability Managers, and CNA. Others offer coverage as part of legal professional errors and omissions coverage, such as Travelers' “network and information security offense” policies for small to mid-sized law firms. (Travelers offers separate CyberRisk coverage for large organizations, but this coverage is not legal industry-specific.)

Also, because of increased competition, as well as more nuanced understanding of cyber risks among interested parties, prices of cyber coverage have dropped substantially, Davine says. Policies that cost $60,000 to $65,000 last year might be available for about $42,000 this year, she says.

Data Breaches Are Expensive

Meanwhile, counsel are recognizing what a data breach could cost, particularly if they are in a regulated industry such as finance or health care. In August of this year, the Ponemon Institute (www.ponemon.org) released its Second Annual Cost of Cyber Crime Study. The survey polled 50 companies and found that the average time to resolve a cyber attack is 18 days and that the median annualized cost is $5.9 million/year (a 56% increase over 2010). Smaller companies take a harder hit: $1,088 per employee, versus $284 in larger shops. Companies surveyed in the study reported 72 successful attacks per week, a spike of 44% over 2010. The most costly cyber crimes: “malicious code, denial of service, stolen devices, and Web-based attacks.”

Look for Specifics

The Chubb Group of Insurance Companies, which started offering law firm-specific policies two years ago, has seen sales double in the last year, according to James Rhyner, worldwide manager for lawyers' professional liability insurance.

Some firms haven't taken the dive. Fenwick & West started looking into cyber insurance about six months ago. “We haven't committed yet, but we're trying to educate ourselves,” CIO Matthew Kesner says.

Andrew Rose, who spent five years as global IT risk manager at Clifford Chance, was looking into cyber insurance before he left the firm in 2010 to join Forrester Research as a principal analyst. There isn't clarity on exactly what constitutes cyber insurance, he says.

“I can't tell you exactly what's in a cyber-insurance policy,” he says. “You get a different policy from every insurance company you talk to. They all seem to be talking about slightly different things.”

Third-party, First-party: Check It Out

Confusion also exists over which cyber risks may be already covered by existing policies. For example, damages to third parties ' such as clients ' may fall under a lawyer's professional liability policy.

Davine says that Marsh makes sure the professional-liability policies it writes for its large-firm clients contain very broad language that should cover most of that risk. Most professional liability insurers have said that they will cover a cyber claim, she says, “because the boundaries of the professional services that law firms bring to clients are so vast.”

But, Davine cautions, smaller law firms' policies may not have such broad language, so it's important to read the policies carefully. It's a nascent area of risk management, and insurers may get queasy if major losses begin to be paid under professional-liability policies.

“If that were to happen, then insurers could change that and start putting exclusions in those policies,” she predicts.

Adds Chubb's Rhyner: “Many law firms and brokers were under the assumption that the bulk of the exposure would be covered by their lawyers' professional liability policy. For some of the exposure, they are right.”

That coverage would most likely include claims that the firm did not adequately protect its clients' data, for example. It would not, however, typically cover so-called “first-party costs,” which include the cost of identifying the extent of the breach, assessing the damage, notifying clients, and providing credit reports and call centers as required by state privacy regulations.

“When you explain the other costs that are associated with a breach ' those first-party costs that you're going to incur even before anybody sues ' their eyes start to widen,” Rhyner says. “This is a new exposure they didn't have 10 years ago and they need to address it.”

Extortion on the Web? Oh, Yeah

Another risk not covered by professional liability is extortion ' where someone hacks into the network, copies sensitive information and then threatens to expose it unless the hacker gets a ransom.

“That's a huge exposure when you think of some of the transactions that law firms are involved with, such as mergers and acquisitions, and that wouldn't be covered under professional liability policies,” he (Rhyner?) says.

Don't Ignore Threats to Social Media

Social media can be risky, too, says Melissa Krasnow, a partner in the Minneapolis office of Dorsey & Whitney. One risk, she says, is “loss of control ' one person's or company's information is transmitted to a social media website of another (i.e., third-party) company.” The confidentiality or privacy of that data “could be breached, even unintentionally, by submitting it to or posting it on a third-party social media website.”

Poke Around in the Cloud

Cloud computing also raises issues. What happens if a provider has a breach of firm data? Rose says some insurers have told him that cloud providers have a lower level of liability coverage than would be comfortable for most law firms. Other insurers don't seem up to speed on cloud technology, Kesner observes.

“We've had very different answers from different carriers regarding whether cloud services are covered, and if so, how,” Kesner says. “The answers at first were blank faces, surprised that we were asking the question; then from others we've heard, 'We'll get back to you,' and at least one carrier [has] come up with a pretty good answer.”

That carrier “understood that cloud was a part of many IT portfolios today and would likely play a larger role in the future. [It was] working internally to decide how to measure the additional or reduced risk that cloud brings. [Its] analysis was not stopping [it] from providing quotes based on more traditional factors but it might impact premiums in the future,” Kesner explains.

Look at Risks

Perhaps the best advice: Start by analyzing risks, and then determine if your current insurance covers them. Ask questions about how insurers quantify losses.

“How do I prove losses from a data breach?” Rose says. “There are so many different ways it can damage an organization.”

Coverage issues are already in courts, including Zurich American Insurance Co. vs. Sony Corp. (SNE) of America, 651982/2011, New York State Supreme Court (Manhattan). Sony is seeking defense under Zurich policies against class-action suits for alleged damages stemming from the 2011 hacking of its PlayStation Network. Zurich claims the general liability policies it sold to Sony do not apply to the incident. (The complaint is available at http://bit.ly/LTN1110g.)

Sometimes the answer isn't buying more insurance. After a firm goes through the underwriting process and gets a quote, its members may ultimately decide to spend more to upgrade security rather than buy cyber insurance.

Says Rose: “It might be that that money is better spent actually reducing the risk of a breach in the first place.”

Good Buy or Goodbye?

Before you sign up for a cyber-risk policy, assess existing policies, particularly professional liability, to see whether and what cyber-related risks are covered or specifically excluded. Here's a mini-guide on what to look for:

• Conduct a security audit and determine where potential risk exposures exist and at what levels.
• Determine comfort level for risk.
• Investigate policies and prices on cyber coverage.
• Be as specific as possible when talking about terms of coverage and quantification of loss with insurers.

Weigh whether the money for a cyber-insurance premium might be better spent on beefing up existing security.

It's been a wild year for cyber crimes, with allegations of phone hacking at Rupert Murdoch's media empire, and the arrest of 14 people for alleged attacks on PayPal's website in retaliation for its decision to suspend the account of upstart Web-based public-disclosure operation WikiLeaks.

On top of those incidents, the U.S. Senate, the International Monetary Fund, Lockheed Martin, Citigroup, Google, and Sony were among organizations that disclosed hacker attacks, Reuters reported.

It all may be falling far too close to home for BigLaw firms and corporate counsel, who are beginning to shop for ' or who are at least beginning to ask a lot of questions about ' cyber insurance. Queries include exactly what the policies cover and cost, how insurers quantify losses and whether the policies are necessary.

“There is lots of chatter,” Anne Marie Davine, managing director of Marsh's U.S. law firm practice, says. “Rarely do we have a meeting with clients or potential clients where this topic doesn't come up.”

Marsh's website defines cyber risk as “a wide range of internet and network exposures” that include theft or manipulation of sensitive or private information (e.g., financial or health records); viruses that can destroy data, damage hardware, cripple systems; and computer fraud. See, http://usa.marsh.com/RiskIssues/CyberRisk.aspx.

Not a New Tool, Exactly

Cyber insurance has been around for a decade, but recent trends are prompting people who may have a need for this coverage to take a closer look at cyber insurance and at provisions that can be added to policies to cover a wide range of contingencies. Counsel, particularly for e-commerce firms, also are recommending that their clients look into cyber insurance coverage.

The number of insurers has also increased. One interesting trend that has emerged, and that may make counsel more versed in advising e-commerce clients, is that cyber-insurance providers are starting to offer cyber insurance tailored to the needs of law firms. Davine estimates that there are about a dozen standalone policies from a range of insurers, including AXIS Insurance, Monitor Liability Managers, and CNA. Others offer coverage as part of legal professional errors and omissions coverage, such as Travelers' “network and information security offense” policies for small to mid-sized law firms. (Travelers offers separate CyberRisk coverage for large organizations, but this coverage is not legal industry-specific.)

Also, because of increased competition, as well as more nuanced understanding of cyber risks among interested parties, prices of cyber coverage have dropped substantially, Davine says. Policies that cost $60,000 to $65,000 last year might be available for about $42,000 this year, she says.

Data Breaches Are Expensive

Meanwhile, counsel are recognizing what a data breach could cost, particularly if they are in a regulated industry such as finance or health care. In August of this year, the Ponemon Institute (www.ponemon.org) released its Second Annual Cost of Cyber Crime Study. The survey polled 50 companies and found that the average time to resolve a cyber attack is 18 days and that the median annualized cost is $5.9 million/year (a 56% increase over 2010). Smaller companies take a harder hit: $1,088 per employee, versus $284 in larger shops. Companies surveyed in the study reported 72 successful attacks per week, a spike of 44% over 2010. The most costly cyber crimes: “malicious code, denial of service, stolen devices, and Web-based attacks.”

Look for Specifics

The Chubb Group of Insurance Companies, which started offering law firm-specific policies two years ago, has seen sales double in the last year, according to James Rhyner, worldwide manager for lawyers' professional liability insurance.

Some firms haven't taken the dive. Fenwick & West started looking into cyber insurance about six months ago. “We haven't committed yet, but we're trying to educate ourselves,” CIO Matthew Kesner says.

Andrew Rose, who spent five years as global IT risk manager at Clifford Chance, was looking into cyber insurance before he left the firm in 2010 to join Forrester Research as a principal analyst. There isn't clarity on exactly what constitutes cyber insurance, he says.

“I can't tell you exactly what's in a cyber-insurance policy,” he says. “You get a different policy from every insurance company you talk to. They all seem to be talking about slightly different things.”

Third-party, First-party: Check It Out

Confusion also exists over which cyber risks may be already covered by existing policies. For example, damages to third parties ' such as clients ' may fall under a lawyer's professional liability policy.

Davine says that Marsh makes sure the professional-liability policies it writes for its large-firm clients contain very broad language that should cover most of that risk. Most professional liability insurers have said that they will cover a cyber claim, she says, “because the boundaries of the professional services that law firms bring to clients are so vast.”

But, Davine cautions, smaller law firms' policies may not have such broad language, so it's important to read the policies carefully. It's a nascent area of risk management, and insurers may get queasy if major losses begin to be paid under professional-liability policies.

“If that were to happen, then insurers could change that and start putting exclusions in those policies,” she predicts.

Adds Chubb's Rhyner: “Many law firms and brokers were under the assumption that the bulk of the exposure would be covered by their lawyers' professional liability policy. For some of the exposure, they are right.”

That coverage would most likely include claims that the firm did not adequately protect its clients' data, for example. It would not, however, typically cover so-called “first-party costs,” which include the cost of identifying the extent of the breach, assessing the damage, notifying clients, and providing credit reports and call centers as required by state privacy regulations.

“When you explain the other costs that are associated with a breach ' those first-party costs that you're going to incur even before anybody sues ' their eyes start to widen,” Rhyner says. “This is a new exposure they didn't have 10 years ago and they need to address it.”

Extortion on the Web? Oh, Yeah

Another risk not covered by professional liability is extortion ' where someone hacks into the network, copies sensitive information and then threatens to expose it unless the hacker gets a ransom.

“That's a huge exposure when you think of some of the transactions that law firms are involved with, such as mergers and acquisitions, and that wouldn't be covered under professional liability policies,” he (Rhyner?) says.

Don't Ignore Threats to Social Media

Social media can be risky, too, says Melissa Krasnow, a partner in the Minneapolis office of Dorsey & Whitney. One risk, she says, is “loss of control ' one person's or company's information is transmitted to a social media website of another (i.e., third-party) company.” The confidentiality or privacy of that data “could be breached, even unintentionally, by submitting it to or posting it on a third-party social media website.”

Poke Around in the Cloud

Cloud computing also raises issues. What happens if a provider has a breach of firm data? Rose says some insurers have told him that cloud providers have a lower level of liability coverage than would be comfortable for most law firms. Other insurers don't seem up to speed on cloud technology, Kesner observes.

“We've had very different answers from different carriers regarding whether cloud services are covered, and if so, how,” Kesner says. “The answers at first were blank faces, surprised that we were asking the question; then from others we've heard, 'We'll get back to you,' and at least one carrier [has] come up with a pretty good answer.”

That carrier “understood that cloud was a part of many IT portfolios today and would likely play a larger role in the future. [It was] working internally to decide how to measure the additional or reduced risk that cloud brings. [Its] analysis was not stopping [it] from providing quotes based on more traditional factors but it might impact premiums in the future,” Kesner explains.

Look at Risks

Perhaps the best advice: Start by analyzing risks, and then determine if your current insurance covers them. Ask questions about how insurers quantify losses.

“How do I prove losses from a data breach?” Rose says. “There are so many different ways it can damage an organization.”

Coverage issues are already in courts, including Zurich American Insurance Co. vs. Sony Corp. (SNE) of America, 651982/2011, New York State Supreme Court (Manhattan). Sony is seeking defense under Zurich policies against class-action suits for alleged damages stemming from the 2011 hacking of its PlayStation Network. Zurich claims the general liability policies it sold to Sony do not apply to the incident. (The complaint is available at http://bit.ly/LTN1110g.)

Sometimes the answer isn't buying more insurance. After a firm goes through the underwriting process and gets a quote, its members may ultimately decide to spend more to upgrade security rather than buy cyber insurance.

Says Rose: “It might be that that money is better spent actually reducing the risk of a breach in the first place.”

Good Buy or Goodbye?

Before you sign up for a cyber-risk policy, assess existing policies, particularly professional liability, to see whether and what cyber-related risks are covered or specifically excluded. Here's a mini-guide on what to look for:

• Conduct a security audit and determine where potential risk exposures exist and at what levels.
• Determine comfort level for risk.
• Investigate policies and prices on cyber coverage.
• Be as specific as possible when talking about terms of coverage and quantification of loss with insurers.

Weigh whether the money for a cyber-insurance premium might be better spent on beefing up existing security.