Law Firms Stunned by Cyber Insurance Premiums, Security Requirements, and Exclusions

Episode Notes

Transcript

[Music]

Intro:  Welcome to the Digital Edge with Sharon Nelson and Jim Calloway. Your hosts, both legal technologists, authors and lecturers invite industry professionals to discuss a new topic related to lawyers and technology. You’re listening to Legal Talk Network.

Sharon Nelson:  Welcome to the 175th edition of The Digital Edge: Lawyers and Technology. We’re glad to have you with us. I’m Sharon Nelson, president of Sensei Enterprises, an information technology, cyber security and digital forensics firm in Fairfax, Virginia.

Jim Calloway:  And I’m Jim Calloway, director of the Oklahoma Bar Association’s Management Assistance Program. Today, our topic is law firms stunned by cyber insurance premiums, security requirements, and exclusions. Our guest today is known to usual listeners of the podcast. He’s John W. Simek, the vice president of Sensei Enterprises which provides managed IT, managed cybersecurity and digital forensic services nationwide. He is certified as CISSP, a certified ethical hacker and a nationally-known testifying expert in the area of digital forensics. He and Sharon have co-authored 18 books published by the American Bar Association as well as hundreds of articles. Thanks for joining us today John.

John W. Simek:  It’s great to be here Jim.

Sharon Nelson:  Well John, let’s open up with a big story that recently made a lot of headlines and that story involved Lloyd’s of London which issued a notice on August 16 to its member insurers or syndicates requiring that they exclude coverage for state-backed cyberattacks. They said they wanted to protect insurance companies and their underwriters from catastrophic loss. But this is really a huge exclusion, many law firms are concerned and so my first question is, do you think cyber insurance is worth the huge premiums with this exclusion?

John W. Simek:  Short answer I think is yes. The premiums are in fact going up, but you’re right. I mean it was a huge, huge thing that Lloyd’s jumped out there with and basically they’re telling their underwriters, the folks that are dealing with Lloyd’s that, “You have to put these exclusions into your policies and they’ve got to take effect by the end of March of next year or the next time the policy renews then I’ll cover what those exclusions are” at least specifically, as Lloyd’s published them and said that, “You have to exclude losses arising from a war, whether that war is declared or not and where the policy does not have a separate war exclusion in it already. You have to exclude losses arising from state-backed cyberattacks that either significantly impair the ability of a state to function or that significantly impair the security capabilities of the state.” Third, it has to be clear whether the coverage excludes computer systems that are located outside any state which is affected in the manner that was outlined in the one I just read above the item number two I just read by the state-backed cyberattack. The fourth item is to set out a robust basis by which the parties agree on how any state-backed cyberattack will be attributed to one or more states. That’s going to be a real challenge obviously. And then five is ensure that all the key terms are clearly defined.

Boy, what a novel idea, hunted, make sure the definitions are clear. I found that interesting that they had to list that. But I guess what they’re trying to get to and what sort of raised all this point was the whole Russia-Ukraine thing. Now we’ve got these, the cyberattacks happening back and forth and, is there going to be any friendly fire? Is that going to impact any of the insured people? If somebody gets stuck in one of these wars, it’s all about money I think at the end of the day. As you said Sharon in the opening there, it’s because they want to protect them from these catastrophic losses potentially.

Jim Calloway:  Well John, states who sponsor cyberattacks don’t necessarily claim credit for it all the time. So another problem is that it’s very difficult to tell where the attacks are coming from, isn’t it?

John W. Simek:  Well, yeah, it is. As, you know, Jim, they’ll try to blame somebody, right? If China has ticked off at Iran or whatever it is, they might make it try to look like it’s coming from there or whoever, right? It doesn’t really matter who the nation state is. But obviously it’s — I mean, the lawyers are probably going to be happy about that because this is going to lead to litigation when you get down to it. Where the attacks coming from, we’re going to court to find out because there’s going to be a big fight over it.

(00:05:02)

But I thought an interesting quote that Lisa Ford said is a cybersecurity consultant and I’ll quote her says that, “Even if you identify the group behind the attack, even if you locate them on a country, let’s say Russia, and even if you can show that the Russian government knew about the group that attacked you and took no action against them and it’s not sufficient under international law to prove that the group’s actions are affiliated with the state.” So that statement alone is like, “Oh my God, even if you knew who they were or suspect who they were. Even as you had proof” like I said, you still probably going to end up in court fighting with the insurance companies and all the parties to try to figure out who the heck’s really at fault here.

Sharon Nelson:  Well you know, I think Lloyd’s went out front, but I suspect a lot of people are going to hang back. There’s inevitable court battles looming here. So I think they’re going to wait and see whether Lloyd’s gets away with this because it is kind of how it feels to law firms and others is that this is really not a fair proposition. While they’re being charged out the wazoo for the cyber insurance, this is a serious potentially decline in protection.

Jim Calloway:  Are you saying that they’re going to push somebody else forward in the line and say, “You make the decision first.”

Sharon Nelson:  Well think Lloyd’s took the initiative to do it. But yeah. Yeah, kind of that. I mean I know how well versed you are John on cyber insurance for law firms because we lecture on that topic all the time, but why don’t you just in general go through a little bit about what we’ve seen trending in the last year or two with rising costs and declining coverage. This really has been a trend that’s been most worrisome to law firms.

John W. Simek:  Yeah. I think the big thing is bottom line, is the dollars and what’s happening. A lot of folks have said early on that the cyber insurance market was undervalued and now people are starting to wake up to what that really is. Average increases in premiums, 30 to 40% is not unusual. Sharon, as you know, our own insurance policy cyber average increased 30% and we didn’t do anything any different.

Sharon Nelson:  Yeah, I could have got all day without you reminding me about that but yeah, it was painful. I mean, as you recall, it was very painful.

John W. Simek:  Oh yeah. No. We have never had a claim ever in our entire existence. I know inflation is up there too, but maybe somebody took the calculator out and says, “Geez, you know, 1.3 times this premium sounds good” and that’s what we ended up with. But I think to a large degree and Lloyd’s was kind of jumping on the bandwagon as well with their announcement, is the insurance carriers have at least traditionally up until now the whole deal — and let’s talk about ransomware as an example. They’ve been paying those ransoms and they’ve been paying the ransoms as part of the coverage because it’s cheaper and to a large degree — I mean they make those business decisions. It’s cheaper to pay for that ransom than it is to pay to recover systems and do all this other stuff as part of the business continuity.

So as a result of all those payouts, right? They need to cover that if you will and so the premiums have correspondingly gone up in order to try to recoup some of those costs. We’re also seeing those in addition to the rise of the premiums, we’re seeing coverages back off. So either the insurance carrier is going to exclude a ransom payment as an example or they’re going to significantly limit it. So as an example, your policy might say, where before there was no designation as to any limit or whatever your policy limit is right? A million, two million dollars, whatever you’ve got. And now they’re going to say, “Well, except when it comes to ransoms. We’re only going to pay max hundred grand, whatever.” So they’re limiting back on the payment for ransoms, ransom payments, and/or excluding them all together and then you tack that on top of Lloyd’s announcement about these other state-backed attacks and you’re getting even less for more.

Jim Calloway:  Well John, cyber insurance applications are also a nightmare to fill out these days, what are cyber insurers demanding of law firms these applications and do you find that some lawyers don’t even understand some of the questions that they have to answer in the application?

John W. Simek:  Definitely Jim. I mean that’s what we do for a living. One of the things, the majority of our clients are law firms and lawyers and we get that all the time. “Oh geez, I got my insurance policy renewal come up and this questionnaire or this application they want me to fill out. I don’t understand what these questions mean.” That’s part of the problem. The other part of the problem is that when explain what those questions mean, they don’t like those answers.

Sharon Nelson:  Well, and the answers might get them denied coverage.

John W. Simek:  True because they’re not doing some of the things that the insurance companies are asking for. But a lot of things now are much, much more specific for the policies. I’ve seen many of these different companies with their applications and some are short and sweet or relatively short and sweet and some are like horrendously long, 15, 18, 20 pages long but they’re asking things about your operation, multi-factor authentication, who do you use? What do you have even to that point, right?

(00:10:02)

Whose authentication system do you use if you do have it in place? Do you have any open ports whatsoever? What services are you running there? And they’re asking specifically about that. Many of the companies, the cyber carriers are actually hiring companies to do scanning, so they’ll scan the internet and they’ll scan your networks to try to find out if you do in fact have open ports. Are you running RDP? Are you running a terminal server? Those kinds of things. Do you have an FTP server active? And they’ll use that information to come back to you and say, “Well how are you securing that? They’re asking about the types of training that you’re doing. Are you training your employees on at least an annual basis? Things like that. They want copies of your policies, right? What kind of internet use policy do you have? What kind of remote access policy do you have? Email policy, et cetera?

So all this, they’re starting to drill down more and more into the details. I have one of the applications up here in front of my screen right now. I mean, it’s kind of, besides the training and the proper use of the email, do you have any established procedures to kill network access? What’s your process for the transfer of money, of electronic payments for business email compromises? Those kinds of things. Do you require background checks for employees? Those are all part of this renewal application. So they’re really starting to get into your business if you know what I mean.

Jim Calloway:  Before we move on to our next segment, let’s take a quick commercial break.

Advertiser:  Smokeball is the cloud-based practice management software that lets you run your law firm like a well-tuned business. Automatically record your time and activities, easily organize documents and conversations from every matter, complete and send documents quickly with a vast library of pre-loaded forms and work efficiently with robust Microsoft Office integrations. Smokeball puts the power of anytime, anywhere at your fingertips. Schedule your free demo today at smokeball.com.

[Music]

Adriana Linares:  Are you looking for a podcast that was created for new solos? Then join me, Adriana Linares each month on the New Solo podcast. We talk to lawyers who built their own successful practices and share their insights to help you grow yours. You can find New Solo on the Legal Talk Network or anywhere you get your podcast.

Sharon Nelson:  Welcome back to the Digital Edge on the Legal Talk Network. Today, our subject is law firms stunned by cyber insurance premiums, security requirements, and exclusions. Our guest today is John Simek, the vice president of Sensei Enterprises which provides managed IT, manage cybersecurity and digital forensic services nationwide. He is a certified system security professional, a certified ethical hacker and a nationally-known testifying expert in the area of digital forensics. He is also my husband. That’s probably your favorite position, right John? Get the answer right son, you’re going home with me.

John W. Simek:  Oh yeah, yeah, yeah. The pay stinks though.

Sharon Nelson:  Pay does stink. So John, can you describe to us some of what in cyber insurance companies are now requiring that you don’t necessarily agree with because I’ve seen you pitch more than one hissy fit about the people who broke the application didn’t know what the hell they were doing.

John W. Simek:  Yeah. I think the affectionate term I call them are desk jockeys. The one thing that really gets me is the way they ask the questions and I’m going to back up a little bit. If you’re familiar with doing your PCI, your credit card assessment questionnaires, et cetera, they have this thing that’s called compensating factors so you can answer a certain way, but then they give you an opportunity to say why you’re doing it that way. So we have compensating control in order to take care of that. I have yet to see a cyber-insurance application or renewal that gives you any of that kind of opportunity. It’s yes-no kind of thing or yes-no, tell me the manufacturer, tell me the software, that kind of stuff.

One of the areas that really gets under my skin is the blanket, I guess, consideration that they have for remote desktop protocol, RDP. If you have RDP running, the remote desktop protocol, which is a remote access method, and it doesn’t matter how you’ve secured it, whether you’ve secured it, et cetera.  Just the fact that you have it running could be grounds for you to not have any coverage and they’ll throw it out the window. So it’s very, very black and white to the insurance carrier. They don’t ask you, “Well if you are running RDP, are you running it securely? Is it patched? What else do you have in place? Are you using multi-factor authentication? What kind of other restrictions do you have potentially in place in order to?” Because you can in fact securely use an RDP connection, but the insurance companies apparently don’t know that that’s possible.

(00:15:03)

Jim Calloway:  How should law firms go about getting a security assessment at a reasonably price? This is often demanded by cyber insurance companies, but increasingly also by clients.

John W. Simek:  That’s true Jim, the clients are demanding at least from the law firms, “Tell me how you’re protecting my data, et cetera.” Obviously number one is going to be talk to your colleagues and who they’ve used. Look for smaller firms, smaller companies and definitely flat fees. You can get the security assessments done for flat feet on a per device basis per user basis or whatever it is, and very reasonable. But if you go to the big companies that are out there, the multi-million, billion dollar companies, then you’re going to pay a high price for that. I would suggest maybe taking a look more at smaller, more niche type cybersecurity firms and there’s many of them out there that do a very, very credible job and for very reasonable price.

Sharon Nelson:  A question we’ve been asked a lot John is, are you compelled to use a cybersecurity company affiliated with the cyber insurer? And we’re seeing that more and more and if you do that, is your data secure? One thing we both know is that cyber criminals target cyber insurance companies specifically for the security data they hold of those they insure. That’s been a target for a long time now.

John W. Simek:  The cyber insurance companies are partnering with the cybersecurity companies that are out and they negotiate lower rates for them. Are you compelled to use them? Well, sometimes you are, especially if you have a security incident but there’s nothing that precludes you from using your own and getting us a second opinion if we will because my one of my concerns is that if the company is affiliated with the insurer, then they have a vested interest and what the outcome is going to be or what the determination of the breach investigation or any of those kinds of things are. But I’m also very concerned, and Jim, this gets to what your earlier question about the applications. I’m also concerned about the cyber insurance companies in themselves, the amount of data that they have. If you looked at some of these cyber applications, because the detail that they’re asking for — as an example, “Whose multi-factor authentication are you using? Are you using duo Google Authenticator, Microsoft authenticator?” Well, you’ve already now given the cybercrime — and the cybercriminal let’s say gets into that network, they now know all of this stuff about you.

What kind of firewall you’re running? Well, they know the manufacturer now. They may even though the model number. So you’re giving them all this advanced information and you’re entrusting that to the insurer because they’ve asked for it on the application. God forbid, if cybercriminal got into that insurance network, they’ve got pure gold because they’ve got all this information about you and what weaknesses or what they should or shouldn’t attack.

Jim Calloway:  John, I’ve read that increasingly law firms, especially the small and mid-sized firms are abandoning cyber insurance because of the cost, and I’ve talked to a lot of solos setting up their practice first two or three years who literally cannot afford it. But what are the risks and dangers in doing that?

John W. Simek:  You’re right Jim. The price is driving a lot of them from that decision not to carry that coverage, but I wouldn’t do it. I mean it’s very risky, it just takes just one incident and unless you’re independently wealthy which I know a lot of folks are not, you’re not going to be able to cover that loss, and that’s what insurance is for is to cover that. Certainly, you need to know what you’re paying for and what you’re getting for what you’re paying for. But yeah, it could be a really big financial burden to you.

Sharon Nelson:  You know it was amazing, timeliness of these stories as they come out. But I read one this morning about this new survey that’s been done by a reputable group and they surveyed firms, not law firms necessarily but businesses in both Canada and the United States. And as of the release of this report, which was apparently just happened last week, 55% of organizations do not have cyber insurance and that’s amazing.

John W. Simek:  Oh yeah. Yeah it is. It’s scary actually.

Jim Calloway:  And on that amazing note, let’s take a quick commercial break.

[Music]

Sharon Nelson:  As a lawyer, keeping up with developments in information security, cyber threats and e-discovery is a never-ending process. Fortunately, the Digital Detectives podcast does the hard work for you. I’m Sharon Nelson and together with John Simek, we bring on industry experts to discuss the latest tech developments that help keep your data secure only on the Digital Detectives podcast.

Conrad:  Hey Gyi, what’s up?

Gyi:  Just having some lunch, Conrad.

Conrad:  Hey Gyi, do you see that billboard out there?

Gyi:  Oh, you mean that guy out there in the gray suit?

Conrad:  Yeah, the gray suit guy.

(00:20:00)

Gyi:  There’s all those beautiful rich leather-bound books in the background.

Conrad:  That is exactly the one. That’s JD McGuffin at Law. He’ll fight for you.

Gyi:  I bet you, he has got so many years of experience.

Conrad:  Like decades and decades and I bet, Gyi, I bet he even went to a law school.

Advertiser:  Are you a lawyer? Do you suffer from dull marketing and a lack of positioning in a crowded legal marketplace? Sit down with Gyi and Conrad for Lunch Hour Legal Marketing on the Legal Talk Network. Available wherever podcasts are found.

Sharon Nelson:  Welcome back to the Digital Edge on the Legal Talk Network. Today, our subject is law firms stunned by cyber insurance premiums, security requirements, and exclusions. Our Guest today is John Simek, the vice president of Sensei Enterprises which provides managed IT, managed cybersecurity and digital forensic services nationwide. So John, what is the best way for a law firm to find a good and reasonably priced cyber insurance company? Because that’s what we’re always telling folks. They were looking at these big firms and they really are not looking at the smaller insurers and we learned an important lesson which I know you’re going to tell us about in your answer.

John W. Simek:  The key is to find a good broker because just like as all the lawyers know that you’re an advocate for your client. Well that’s what your insurance broker is, they’re an advocate for you, but get somebody that is well versed and understands the cyber market and who the various players that are out there, the various coverages that are there, what the cost, et cetera, all that stuff is. As you point out, Sharon, I mean, we learned that our previous broker because we did in fact change brokers — nice group of folks, but just really didn’t know the cyber market and when we started to see our premiums go up by 30%, et cetera and by these ridiculous demands that the insurers were asking for, they weren’t going to bat for us. But if you do have a good broker, they will know your business. They’ll know what coverages are appropriate for you and they’ll know what carriers are out there.

When we switched brokers, we got several quotes, et cetera from some different carriers. A couple of carriers, Sharon, as you recall, we never heard of before, but as you do some research into it, you find out, “Oh yeah, these guys are pretty good. They’ve been around a while. It didn’t raise any red flags if you will.” But the broker knew that these were good folks to go for and that they were reasonable. So I think that’s really a key is to get a good broker that understands this particular market area and they’ll help you. I mean as you know, I mean we got better coverage for less money which is certainly directionally.

Sharon Nelson:  You ought to say that again, better coverage for less money and we were shocked at how much better the coverage was and that we paid less for it. So it really is all about the broker. That’s one of our primary lessons today.

John W. Simek:  Yeah. Well I think, Lloyd’s said it right when they said the key terms are clearly defined, right? I mean it’s who we ended up with. Everything is very clear and well spelled out and the premiums were less. So that’s where you want to be, right?

Jim Calloway:  Unfortunately, there’s no real easy answers on any of these issues, John, but do you have any final thoughts or recommendations to close this podcast?

John W. Simek:  At the end of the day, Jim, the cyber insurance market is going to continue to go. It’s going to continue to get expensive, but I would suggest that it’s smart for the law firms to heed kind of some of the things that the cyber insurers are asking about, the multi-factor authentication items that they’re now putting in their applications. You should be doing that anyway. So you should be doing things that are improving your security posture and budgeting for things. You don’t have to do it today, maybe if you budget for it for next year, two years, down the road or whatever it is on some of these things.

But certainly, it’s not going to get any easier and we’re going to have to make sure that we’re doing things smartly because the more secure that you make your environment that you can prove your environment secure, this is ammunition for your broker, right? So your broker then can go to the carrier and get those lower rates for you because they say, “Well you know, my client here has these different things in place already and they’re going to Zero Trust as an example and they’re doing this and whatever.” That’s a whole other podcast on Zero Trust, but things like that. I mean you should be doing it and not everything costs money, right? There’s things that are free or very low cost that will certainly improve your security position.

Sharon Nelson:  Like MFA.

John W. Simek:  Like MFA, but you don’t have to wait for the insurance carrier to demand it. I mean, you should be doing these things anyway.

Sharon Nelson:  Well, I really want to thank you for joining us today. I think a lot of people listening have learned quite a bit about cyber insurance and it’s amazing how something we knew so little about say 10 years ago, we both become experts on today and you in particular love to read through these lengthy documents which I do not enjoy.

(00:25:09)

So I appreciate that you do that too. But thanks for sharing all that knowledge because I know this was a useful teaching session for folks.

John W. Simek:  It’s been a pleasure and it’s always great to be with Jim, but you as well.

Sharon Nelson:  Well I’m glad I got and also ran. That does it for this edition of the Digital Edge: Lawyers and Technology. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or on Apple Podcasts. And if you enjoyed our podcast, please rate us in Apple Podcasts.

Jim Calloway:  Thanks for joining us. Goodbye Ms. Sharon.

Sharon Nelson:  Happy trails cowboy!

Outro:  Thanks for listening to the Digital Edge produced by the broadcast professionals at Legal Talk Network. Join Sharon Nelson and Jim Calloway for their next podcast covering the latest topic related to lawyers and technology. Subscribe to the RSS feed on legaltalknetwork.com or in iTunes.

The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.