Cyber Insurance for Law Firms: Skyrocketing Prices and Less Coverage

Episode Notes

Transcript

[Music]

Intro:  Welcome to The Digital Edge with Sharon Nelson and Jim Calloway.  Your hosts, both legal technologists, authors and lecturers, invite industry professionals to discuss a new topic related to lawyers and technology.  You’re listening to Legal Talk Network.

Sharon Nelson:  Welcome to the 171st Edition of The Digital Edge Lawyers and Technology.  We’re glad to have you with us.  I’m Sharon Nelson, President of Sensei Enterprises.  An information technology, cybersecurity and digital forensics firm in Fairfax, Virginia.

Jim Calloway:  And I’m Jim Calloway, Director of the Oklahoma Bar Association’s Management Assistance Program.  Today our topic is Cyber Insurance for Law Firms: Skyrocketing Prices and Less Coverage.  Our guest today is Judy Selby.  A member of Kennedys Law Global Cyber Team.  She primarily serves as cyber coverage and monitoring council to insurers.  She was honored as a 2021 National Law Review Insurance Law Trailblazer and received 2021 JD Supra Readers’ Choice Awards in insurance and in cybersecurity.

Judy has completed advanced courses at the Massachusetts Institute of Technology.  We don’t have many MIT graduates’ guests, Judy, and in the areas of big data crisis management, business continuity, cybersecurity, and the Internet of things.  Thanks for joining us today, Judy.

Judy Selby:  My pleasure.  Thanks for having me guys.

Sharon Nelson:  We’ve picked a subject that’s particularly painful to lawyers because last year cyber insurance pricing rose 30% to 40%.  It was incredibly damaging to many people who especially the solo and smalls who some of them had to terminate their insurance.  They just couldn’t afford it.  What caused the big increase?  And do you think it’s going to be worse in 2023?

Judy Selby:  That is the question of the year, and pricing really did go up.  I think it’s a combination of factors, Sharon.  First of all, this is not going to be a popular answer in my view, and I think this view was shared by many others in this space.  The insurers were underpriced for a long time.  It was in what we call a soft market.  And the easiest way to explain that is insurance used to be hard to sell, now it’s hard to buy.  And so now we have swung from a soft market into a hard market.  And that is driven by the tremendous level of losses that the cyber insurers saw over the past couple of years, but particularly in 2020.  Insurers measure their profitability by something called a loss ratio, and the loss ratios got very very bad, and so insurers took a number of steps and I know we’ll talk about a lot of them going forward, but one of the steps that they took to kind of right the ship from a sustainability point of view was to increase the premiums.

One thing that’s important to always remember, the cyber insurance industry and product is relatively new in the grand scheme of things, and unlike property insurance, for example, or CGL insurance, these coverages that have been around for a longtime, insurers are able to price the coverage based on decades and decades and even hundreds of years in some instances of data that they’ve collected about the losses that they tend to see.  That type of data doesn’t exist in the cyber insurance space.  We’re starting to get it, we’re starting to build it, but the issue was compounded by the fact that we’re also dealing with an ever-evolving threat landscape.  We never know from one year to the next what will be the big driver of cyber losses and claims, and hence then cyber insurance losses.

So I think all of those things are factoring in together.  I don’t know if prices will continue to go up, but I wouldn’t expect them to go down anytime soon.

Jim Calloway:  Adding to the pain of lawyers, we’re seeing more exclusions in insurance policies, especially excluding nation state attacks; something that’s been on everybody’s radar more recently.  What other types of new exclusions are you seeing?

Judy Selby:  You know what’s interesting, Jim, I don’t know that these are actually new exclusions or additional exclusions.  I just think they’re getting more attention now.  The war exclusions or nation state attack exclusions have been in most policies and everything I say, by the way, I should caveat because there are no standard cyber insurance policies and every carrier has their own unique policy. 

(00:05:07)

So keep that in mind as we’re going through this, but almost every cyber insurance policy I’ve seen has had for a long time some type of a war exclusion in there.  And I think in terms of other exclusions in cyber policies, they’re typically things like excluding coverage for bodily injury or property damage, but what we see in the cyber claim space now is not so much application of exclusions because the coverage is very very broad, so a lot of things will come within the coverage of most cyber insurance policies. 

So what you’re more likely to see that would give rise to some type of coverage issues would be a claim that just never fell within the coverage in the first instance.  So there’s a coverage called Betterment, for example.  And that would provide some coverage that would actually help you make your system instead of getting you back to where you were before an incident.  It would provide coverage to actually improve your systems a little bit.  If you don’t have that coverage in the first instance, then obviously it wouldn’t fall within the coverage of the policy.  So it’s not so much an exclusion as it does it fall within coverage.  The other types of issues that we’re seeing are now that the claims are getting more severe in nature, they’re not really “simple” data breaches that we saw years ago.  We run into issues of are the actions being taken, such as by the forensic firm that’s brought in to assist the policyholder, are they remediating, or are they actually going beyond remediation, which may not be covered by the policy.  If there is a loss for business interruption, does that fit within the coverage, the policy terms of coverage for a business interruption or business income loss type of coverage.

And then, of course like every insurance policy, the cost incurred have to be reasonable and necessary.  So when you get into these bigger claims, there’s always an issue of was this incident handled in a reasonable way?  Were the costs incurred necessary?  And that’s all assuming they fall within coverage in the first instance.

Sharon Nelson:  Well, another pain point for lawyers, Judy, is the long list of questions about their cybersecurity.  So I’m interested in why insurers feel it necessary to ask so many questions and I’m also interested in the fact that it seems to me it’s dangerous to give such information to cyber insurance companies knowing that they themselves are targeted by cyber criminals who want to know who they are insuring and for how much.  So by giving them all this information, the cybercriminals would have information about a law firm cybersecurity which could be useful to actually breach the firm.  What do you think about all that?

Judy Selby:  The reason that there’s a much greater underwriting scrutiny which is the list of questions that you’re referring to is that the insurers this is part of being in the harder market where they’re applying a lot more scrutiny, I’ll say, of prospective insured in the underwriting process and now that we have this kind of a building history of data, the types of claims we’re seeing, the questions are typically targeted towards the risks that the insured is looking to transfer to the insurance company.  And so you’ll see really drill down questions and I think this is what you’re referring to as to security practices that will impact your risk for ransomware, for example, and not just your ability to prevent an attack, but also your ability to bounce back into from attacks, which is your business continuity and disaster recovery situation looking at your backups and things of that nature.

So it’s not unlike some other lines of insurance, like let’s say, property insurance.  If you’re looking for a commercial property policy, if you own a factory, they’ll ask you what are your fire mitigation practices, how many sprinklers do you have, what type of exits do you have, and are they blocked.  Things of that nature.  So it’s kind of the equivalent of that.  And when you look at cyber, because there are so many different types of coverage typically in a cyber insurance policy, there’s coverage for both first party and third-party exposures.  The first party are the costs that the insured law firm incurs themselves, like let’s say there’s a data breach, there will be coverage for the investigation and the law firm to manage the whole thing notification.  All those types of incident response coverages.  But there’s also coverage for regulatory investigations and third-party lawsuits and class action lawsuits, for example.

(00:10:00)

And so, there’s lots and lots of different risks that these questions are going towards regulatory exposures.  You know are you subject to CCPA in California, for example, or GDPR.  Do you deal with regulated data such as health information?  So all those questions are really kind of targeted to those risks that the policyholder is looking to transfer.  And then in terms of your other question, I know that there was an alleged threat actor from one of the big ransomware gangs who allegedly gave an interview.  Who knows how true any of this is because we are dealing with criminals, after all.  In that interview, this alleged threat actor said, “Oh, yeah, we target cyber insurers.”  I don’t know that there’s actual proof of that.  I think they’re targeting anybody with data, but it’s the same type of information you would provide to any one of your insurers for any type of coverage you’re getting, but insurance companies are regulated entities in and of themselves.  The NYDFS, which is the regulator in New York, for example, was the first to come out with this very comprehensive risk-based cybersecurity regulation back in, I guess, 2018.

That really kind of set the standard of how insurance companies have to manage their cybersecurity risks as aggregators of information.  The National Association of Insurance Companies also has a model cybersecurity law that has been adopted by, I think, now 21 states.  And so maintaining security over the data they’re collecting and have under their control is a huge priority for insurance companies generally.

Jim Calloway:  Many law firms are now hearing that their cyber insurance companies will no longer insure them because the law firm cyber security is inadequate.  What do you recommend law firms do if they are denied coverage for that reason?

Judy Selby:  I think the best thing to do is try to avoid that happening in the first instance because you will likely have to disclose that going forward for a couple of years down the road when you fill out an application, they may ask you, have you ever been denied coverage.  So the best way to prevent that from happening is to really get your data in cyber house in order before you apply in the first instance.  And it’s taking longer for the reasons relative to the question that Sharon asked a little while ago.  I would work with a really good cyber broker and know the types of questions and the types of information you’re going to have to have, the practices and procedures you’re going to need going into the process in the first instance.  And you may need to bring in a third party to help you.  Somebody to help you kind of get your house in order before you go in and apply.  If you’ve been denied before you reapply to another carrier, I would suggest really taking the time to do that.

It’s not a great answer, Jim.  I understand that it’s expensive and it will take time, but it’s really a cost of doing business today.  A lot of people like Sharon and John have been talking about this for years and years.  How important it is for people to focus on these things, and so now it’s really become table stakes as you’re approaching insurance companies to whom you want to transfer your risk, to have these practices a multi-factor or whatever it may be.  Have these things in place going in not only to try to get the best premium you can get, but try to get the best coverage you can get or get covered at all.

Jim Calloway:  Well, that’s very interesting.  Before we move on to our next segment, let’s take a quick commercial break.

Sharon Nelson:  Now more than ever, an effective marketing strategy is one of the most important things for your firm.  Scorpion can help.  With nearly 20 years of experience serving the legal industry, Scorpion has proven methods to help you get the high value cases you deserve.  Join thousands of attorneys across the country who have turned to Scorpion for effective marketing and technology solutions.  For a better way to grow your practice, visit scorpionlegal.com.

Smokeball is the Cloud-based practice management software that lets you run your law firm like a well-tuned business.  Automatically record your time and activities, easily organize documents and conversations from every matter, complete and send documents quickly with a vast library of preloaded forms, and work efficiently with robust Microsoft Office integrations.  Smokeball puts the power of anytime, anywhere at your fingertips.  Schedule your free demo today at smokeball.com.

(00:15:04)

Welcome back to The Digital Edge on the Legal Talk Network.  Today, our subject is Cyber Insurance for Law Firms: Skyrocketing Prices and Less Coverage.  Our guest today is Judy Selby, a member of Kennedys Law Global Cyber Team who primarily serves as cyber Coverage and monitoring council to insurers.  She was honored as a 2021 National Law Review Insurance Law Trailblazer and received 2021 the JD Supra Readers’ Choice Awards in insurance and cyber security.  Are deductibles also rising as part of this nightmare, Judy?

Sharon Nelson:  I think what we’re seeing, Sharon, is kind of a multifaceted approach to this issue.  We’re seeing deductibles or retentions as recalled in the insurance space increase as well as premiums going up and sometimes other measures like sublimits being applied, so yes.

Jim Calloway:  The most lawyers think of cybersecurity and they first only think of ransomware.  Is ransomware basically driving all these draconian measures or are there other factors in play?

Judy Selby:  Yes, I think ransomware has been the primary driver, but one thing you have to remember Jim in the context of a ransomware claim and its impact on insurers is that a ransomware event can trigger a lot of different coverages under a Cyber Insurance Policy.  For example, you have a ransomware event that would trigger the ransomware coverage under the policy which typically includes the investigation and the negotiation and a payment of a ransom if it’s legal, but it can also, as we’re seeing much more now and this is a real driver of what we’re seeing in today’s market, ransomware coupled with a data breach.  So the threat actors go in, they exfiltrate a lot of data and then they launch the ransom and so the ransom applies to both the decryption and getting your data back and they’re threatening to post it online, et cetera.  But you can also then because you’re encrypted, have a business interruption loss that you can have third-party lawsuits, especially if there’s a data breach, and you can also have regulatory investigations and fines.  So one single event can trigger lots of coverage within one single cyber insurance policy.

Sharon Nelson:  It seems too many of our law firm clients here that cyber insurers have become increasingly inflexible adopting more of a take it or leave it set of rules for the law firms.  Some of the law firms who have often been loyal to their cyber insurance for years are getting angry, especially when they get start communications from their insurance company that coverage is being declined.  Are we now down to its my way of a highway with these insurers?

Judy Selby:  They’re definitely taking a much stricter approach and part of that is driven by reinsurers.  Prospective insurers have to have a certain level of cyber hygiene, good cyber practices, however you want to call it.  And when I say cyber, I also mean privacy.  So yeah, you have to have like a certain level now for many insurers to be willing to take on your risk.

Jim Calloway:  Well, following up on Sharon’s last question, how does a law firm find a good insurance broker to assist them in selecting a cyber insurer in this difficult landscape?  I assume not everyone knows how to do this.

Judy Selby:  Yeah.  And it’s hard to find a really good broker.  It’s such a technical space, the policies are complicated, and you really need somebody who’s going to dive in and really dig into the wording of the policy.  So what I would suggest is ask around, speak to colleagues, speak to people in your world, ask them what their experience has been, reach out to experts in the space and ask for recommendations.  Reach out to lawyers in this space.  I get asked that question a lot.  I represent insurance companies, but policyholder side lawyers are also a good source of information to deal with, but I would really do my due diligence and ask them not just how well they try to understand, how well they understand the coverage, but what their experience has been in managing cyber claims, because brokers play a big part in managing a cyber event when it happens.  So we drill down and ask them how many cyber claims they’ve actually handled and what the outcome has been.

Jim Calloway:  Okay.  Before we move on to our next segment, let’s take a quick commercial break.

Sharon Nelson:  As the largest legal only call center in the U.S., Alert Communications helps law firms and legal marketing agencies with new client intake.  Alert captures in response to all leads 24/7, 365 as an extension of your firm in both English and Spanish.  Alert uses proven intake methods customizing responses as needed, which earns the trust of clients and improves client retention.

(00:20:00)

To find out how Alert can help your law office, call 866-827-5568 or visit alertcommunications.com/ltn.

Jim Calloway:  The Blackletter Podcast demystifies complicated law and business issues by breaking them down into simple understandable bytes.  Hosted by Tom Dunlap of Dunlap, Bennett & Ludwig.  This show features fun and informative conversation with esteemed guests like CEOs and former ages of the CIA.  You can listen to Blackletter today on iTunes, Google Play, Spotify or wherever you get your podcast.

Sharon Nelson:  Welcome back to The Digital Edge on the Legal Talk Network.  Today our subject is Cyber Insurance for Law Firms: Skyrocketing Prices and Less Coverage.  Our guest today is Judy Selby, a member of Kennedys Law Global Cyber Team who primarily serves as cyber coverage and monitoring council to insurers. 

Judy, what advice do you have for law firms that are looking for cyber insurance in today’s market?  I know you’ve made some recommendations and suggestions, things maybe to be wary of, what else have you got in your pot there?

Judy Selby:  Yeah, the main thing is to put your best foot forward when you’re going into the process, but one thing I would add is this process now takes a lot longer, so start preparing in advance.  I usually say about three months in advance, so if your policy expires at the end of December, you want to start looking at this by October, finding out the information you need and start doing that.  And the other thing too is do take the time and compare coverage among different policies.  Not everybody needs the broadest coverage there is going, but it’s important that you know what your cyber risks are before you start trying to buy insurance for it.  Understand what your risk profile is; cyber and privacy risk profile, and don’t forget, liabilities you’re assuming under various contracts, those liabilities may or may not be covered under an insurance policy, but all of that goes into figuring out what your cyber risk profile is, and then try to get the coverage to match up as well as you can with that coverage.

Jim Calloway:  One final question.  Besides the issues we’ve already discussed, could you look into your crystal ball and tell us what changes you see coming with cyber insurers in the next year or two?

Judy Selby:  Yeah, Jim, I think it’s going to be more of the same.  I think it’s going to be insurers are starting to get into a better place.  I think surer footing in light of the steps they’ve taken over the past 18 months or so, I would look for more of the same.  As I said, I wouldn’t look for prices to go down, and I would expect the continued rigorous underwriting to go forward, particularly because the threat landscape is always changing and our level of interconnectedness and dependence on each other in order to operate any type of business.  We’re all dependent on our business partners who are hosting data or doing something for us.  All of those factors are creating not just risk to any individual entity, but also systemic types of risk.  And we haven’t talked about it or we briefly addressed it in the beginning, these issues around the conflict between Russia and Ukraine, all these things increase the risk of collateral damage as we saw with (00:23:31) a few years ago.  All of these things continue to make the space volatile.  So I wouldn’t expect any big rollbacks in premiums or anything for the foreseeable future.

Sharon Nelson:  I think we both agree with you, but it’s tough on certainly the law firms, and they are suffering today, and you never used to hear them talk and talk and talk about cyber insurance.  But these days, it’s heavy on everybody’s mind.  So I sure want to thank you today for joining us, Judy.  Both of us are grateful to you.  We love having an expert on the subject.  This was really helpful to explain in more detail some of the things that I think the lawyers don’t always understand or appreciate and how complicated it all is, but thanks very much for being with us.

Judy Selby:  My pleasure and thanks for shining a light on these issues.

Sharon Nelson:  That does it for this edition of The Digital Edge Lawyers and Technology.  And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or on Apple Podcast.  And if you enjoyed our podcast, please rate us on Apple Podcast.

Jim Calloway:  Thanks for joining us.  Goodbye, Ms. Sharon.

Sharon Nelson:  Happy trails, cowboy.

Outro:  Thanks for listening to The Digital Edge.  Produced by the broadcast professionals at Legal Talk Network.  Join Sharon Nelson and Jim Calloway for their next podcast covering the latest topic related to lawyers and technology.  Subscribe to the RSS feed on legaltalknetwork.com or on iTunes.

The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by Legal Talk network, its officers, directors, employees, agents, representatives, shareholders and subsidiaries.  None of the content should be considered legal advice.  As always, consult a lawyer.