How to Dissect and Understand Your Cyber Insurance Policy

Episode Notes

Transcript

Molly Ranns:

Hello and welcome to another edition of the State Bar of Michigan’s On Balance Podcast on Legal Talk Network. I’m Molly Ranns.

JoAnn Hathaway:

And I’m JoAnn Hathaway. Today we’re delighted to welcome Judy Selby to our podcast. Judy will be discussing how lawyers can dissect and comprehend their cyber insurance policies effectively demystifying this complex topic. Judy is an attorney and partner at Kennedy’s, a global law firm with expertise and litigation dispute resolution and advisory services. She helps cyber insurers and managing general agents with claims coverage and policy wordings she has experienced in complex insurance coverage, litigation and international coverage arbitrations, and also provides advice to address cyber and emerging risk exposures. Judy, with that, could you share some additional information about yourself with our listeners please?

Judy Selby:

Hi, JoAnn. Thank you. And Molly, thank you. It’s really a pleasure to be here. I would just say in addition, I’ve focused primarily, almost exclusively on cyber insurance for the past decade or so, and absolutely delighted to be here to speak with you and your listeners about this topic. I’m very passionate about it.

Molly Ranns:

Well, we’re really grateful to have you here today with us, Judy. Cyber threats abound these days, and lawyers and law firms are prime targets. It seems due to the sensitive nature of the data they store, the threat actors are becoming more and more sophisticated, and so it seems cyber insurance is now more of a necessity than a mere nice to have policy. Could you explain exactly what cyber insurance is and why lawyers and law firms need it?

Judy Selby:

Cyber insurance, it is important to remember cyber is a modifier. Insurance is the noun that we’re talking about here, and so cyber is a different type of insurance policy that’s specifically designed to address privacy and cybersecurity types of risks, although they frequently are much broader than that in a nutshell. And what makes cyber insurance so helpful, particularly for small and mid-sized businesses, is that the policies provide first party coverage as well as third party coverage on the first party side. Those are costs that the insured, so in this case, the law firm itself would incur in connection with a cyber or privacy incident. So for example, let’s assume that there’s a breach, a malicious breach by a third party, a malicious actor. The cyber insurance policies typically would cover the cost for a specialist lawyer, sometimes called the incident response counsel to come in and basically manage or quarterback the law firm’s response to this incident.

So that might mean bringing in a computer forensics team, a public relations team, professionals to provide notifications to affected individuals or to regulators if those requirements have been triggered. Sometimes there’s coverage for, and this is important for law firms, sometimes there’s coverage for notifications that are required by contract. So oftentimes law firms are required to provide notice to their clients in the event of a data breach, even though the breach may not impact breach notification laws that are out there. So these types of services and costs that I’ve just mentioned are typically covered under the first party coverage of cyber insurance policies. I should note at the outset that there are no standard forms for cyber insurance policies. There’s kind of a joke in my space. If you’ve seen one cyber insurance policy, you’ve seen one cyber insurance policy, but it really is true. So it’s important, and I suspect we’ll talk about this later, it’s important to know what you’re buying, make sure that it suits your needs and to work with a knowledgeable Embroker and make sure you’re getting the right coverage for your particular law firm.

Then on the other side, I mentioned third party coverage. That’s liability coverage, so that’s if the insured law firm is sued for a cyber or privacy type of incident or a risk or something that happened. That also includes typically regulatory coverage. So if a regulator launches an investigation, there could be coverage for that. I should mention on the first party side that many policies provide coverage for contingent, sometimes called dependent business interruption and for interruption of the insurer’s business operations. So what those coverages mean with regard to contingent or dependent business interruption. If a certain type of business partner of the law firm has a cyber incident, and the devil of course is in the details of the policy wordings, but if a business partner on whom the law firm is dependent, let’s say an entity that’s providing HR services or data hosting services, something like that, IT services.

If that entity has a cyber incident and cannot provide services to the law firm that impact the law firm’s ability to function as a business, there could be coverage for that. So that would depend very much on the language of the insurance policy itself as to what type of service provider, if they had the incident, would that trigger coverage under the policy? So there would be no incident, no impact, no cyber attackers, anything like that to the insured law firm itself, but to its service provider. There is coverage also typically for business interruption to the law firm itself if the law firm itself suffers a cyber attack or a ransom attack or something along those lines. So that’s very, very important coverage, it’s very nuanced. The types of things that you would have to show to get to recover under that coverage for lost income is very detail oriented, but I did want to make you aware that that coverage is there.

Oftentimes in cyber policies, there is also coverage for kind of cyber crime related exposures. This is very important for law firms because law firms are often subject to social engineering or business email compromise types of incidents. We see that a lot in the real estate sector. You get the email from the other side of the transaction that you’re working on, or sometimes we see it in settlement in the settlement context where the email comes into the law firm saying, we’ve changed our bank account information. Please wire the funds off to this new account, and then the money goes off to fraudsters. So there could be coverage under your cyber insurance policy for that. If your cyber insurance policy has those crime coverages in there, you may have coverage for that under just a standalone crime policy. Typically, those coverages are severely sub and there may be requirements for the law firm to have validated the request to make sure that it wasn’t a fraudulent request. For example, if you get an email that says, we have new banking information, did you verify via a different mode of communication, that is a legitimate request from the actual party and not a threat actor. So that can be very valuable coverage as well. There are other types of coverage media coverage for one and some other coverages that may be in any individual cyber insurance policy, but those are the major ones I think that’s important to talk about right now.

JoAnn Hathaway:

Judy, you mentioned cyber policies are non-standard. Can you explain the difference between a standard and non-standard policy and also address if you think at some point in the future cyber policies will become standard?

Judy Selby:

Sure. What I meant by that, JoAnn, is that each insurer has its own policy form, its own policy language that it uses. Now, sometimes we’ll see certain endorsements, for example, that might be written by a Embroker in this space. So you may see a typical marsh endorsement for a certain issue, certain type of coverage, an AON endorsement for another type of coverage, but by and large, there are no standard forms in cyber insurance, which means that it could be burdensome on the insured or the perspective insured and require them to look at the differences between the different policies. And the devil, as I mentioned before, is really in the details, understanding exactly the coverage that you’re getting. So this may mean reviewing the policy definitions in great detail and comparing one policy to another policy. Again, you would want to work with a good Embroker to help with that.

Now, this is different from others types of forms that are on the market. For example, CGL forms general liability forms are often written using forms put out by an organization called ISO ISO, the insurance services organization. So they put out kind of forms that you just see them over and over again, and you know what the language is, the good or the bad thing, depending on what your issue is. And what’s happening is that when you have a standard form, bodies of case law may develop as to how those forms should be interpreted, what the courts tend to do with them. But in cyber, there’s very, very little case law and if there is any case law on one issue on one policy, it may not have any bearing a different policy form issued by a different carrier. So it does kind of put the burden on the insured to look to make sure you’re getting the right coverage for you.

The good side though is that often, depending on the size of the business that’s buying the insurance policy and the leverage in the marketplace, they may have, there’s probably more opportunity for manuscripting some policy terms in the cyber context, and by that I mean going to the insurance company and asking for special terms to be written for you. Again, if you work with a Embroker, you can explore those issues with a lot more ease, I would think. But it’s really key to keep in mind that the cyber insurance market is starting to mature, but compared to other lines of coverage, it’s a very new insurance product that’s out there in this space and we have that factor. Plus we have an ever evolving risk landscape in terms of both privacy and cyber risks. The risks are always changing. So much of it is dependent on laws and regulations that are being written as we speak and on technologies that are being created and developed and used constantly and constantly changing and adapting. So this confluence of factors make cyber a very unique insurance product in the market, which I think JoAnn, to answer the last part of your question, makes a standard form pretty unlikely, at least for the foreseeable future in my view.

JoAnn Hathaway:

Great. There’s always the question that agents are posed with and potential insureds are always asking about coverage limits. Are there suggested coverage limits one should choose under a policy of cyber insurance, and what are your recommendations?

Judy Selby:

Yeah, that’s really very fact dependent question depending on the specific insured and their risk profile. So as you might imagine, if it’s a global law firm that has offices all over the world and has mountains and mountains of data, their potential risk would be much higher than a small one or two person law firm, for example. So the important thing is to work closely with your Embroker and try to identify what your specific risks are based in part on the types of data you’re holding. For example, if you’re holding lots of personal health information or personally identifiable information or very, very sensitive corporate information. So if you’re a law firm that does a lot of mergers and acquisitions work and you have highly, highly sensitive information, highly confidential information, that value is dependent on that information being kept private. You might need additional limits to account for those exposures.

And for larger law firms, you may want to try to build a tower of insurance coverage, which is what many corporations do as well. So you would get, for example, a primary policy, a first layer policy for a certain limit, let’s say $5 million. You might want to stack additional excess policies on top of that so you can be adequately protected. It’s rare these days to find policies like a single policy that will cover more than five or $10 million. If you needed more coverage than that, you’d have to buy additional policies to sit on top of that policy. But the market is continually evolving in terms of the pricing for coverage and the availability of coverage on the marketplace. So again, I feel a little bit like a broken record, but working with a knowledgeable Embroker who understands cyber, understands the cyber insurance marketplace and the potential exposure that any individual law firm has is really, really critical.

Molly Ranns:

Judy, it’s my understanding that some cyber insurance policies respond to privacy lawsuits and investigations when there was no actual hack or data breach. This doesn’t seem logically to be coverage you would expect under such a policy. Can you speak to how a policy might respond in these types of instances?

Judy Selby:

Oh, absolutely. And that coverage is typically there. So we can think of some easy examples where let’s say that an employee of the law firm inadvertently sends an email with private information off to the wrong party. They just mistype an email address and off it goes to the wrong party. So that’s a potential privacy breach without any type of hack. So the policies typically respond to on the liability side. So if that law firm were to get sued for that, that would be an unauthorized disclosure of private information. That’s a very simple example, but what we’re also seeing now, a lot of lawsuits like a tidal wave of lawsuits frankly being brought against companies often in the healthcare space, but certainly not exclusively arising out of their use of certain types of codes on their websites, where they are being accused of tracking website users and sending information about their website users to third parties such as Facebook or Google or to other analytics companies to analyze who’s using their websites.

So in those situations, there’s been no malicious hack. There’s been no breach in the sense that many people think of it, but there’s still the allegations of an unlawful or unauthorized disclosure of information to a third party, which triggers coverage under many of the, if not all that I’ve ever seen, cyber insurance policies on the market. There’s also coverage under many policies for things like unlawful collection of data, and these issues are becoming more important now as more and more states are enacting privacy laws and regulations about the company’s collection use, sale transfer, and ultimate disposition of certain types of data, typically consumer data. And so the states one by one are starting to pass these types of laws. We’re up to more than a dozen laws my last count that apply to these types of consumer information. So there could be exposure there for law firms depending on your business operations, the types of data that you’re collecting and what you’re doing with it, and then if you get sued by that or you have a regulator come after you for that. So that’s very, very important. It’s a key part of cyber insurance, and so this concept that you have to have some type of a malicious data breach to trigger coverage is really not accurate there. There’s a lot of coverage under these forms depending on the wordings and depending on the circumstances of what happen for these non-malicious, non hack, non-cyber event types of exposures.

Molly Ranns:

Thank you, Judy. That is very helpful clarification, and we are now going to take a short break from our conversation with Judy Selby to thank our sponsors.

JoAnn Hathaway:

Welcome back. We are here with Judy Selby talking about cyber insurance. Judy, knowing the coverage parts and exclusions in a policy is really critical for lawyers to understand, what are some of the limitations of cyber insurance coverage that lawyers and law firms should be aware of?

Judy Selby:

That’s a great question, JoAnn. I’m glad you asked that. I had mentioned early on about the first party coverage, how cyber insurance policies typically provide coverage for a whole host of professionals to come in and assist in case you have some type of a cyber incident or privacy incident. Oftentimes though, there are requirements in the policy as to who you’re allowed to use for that. So that to me is a real benefit for the insured. So if you have an incident, and God forbid your entire network is encrypted, you’re not turning to the yellow pages to try to figure out who can help you deal with this incident that you just had. But the other side to that is that the insurers typically have panel professionals that you are required to use when you have those incidents. So it would be important to know that before you have an incident, if we do have an incident, who would we call and how would we do that?

So you’re knowing who that is before you have the incident, so you’re not just calling some IT guy that you happen to know or your brother-in-Law who knows something about cyber security. So it’s really important to know what those requirements are before you engage anybody and before you spend any money, because it may not be covered under the policy and you don’t want to do anything to jeopardize your coverage. So you want to know that. You also want to know about any reporting requirements you have, like notification requirements you have to the insurer. If you do have a cyber incident or you think you might have a cyber incident or you get a lawsuit in for a cyber or privacy thing, you don’t want to sit on those things, so you want to make sure you know what those requirements are. I already mentioned that if you have cyber crime type of coverage is under the policy, it may be sublimited, so you would want to know that going in as you’re trying to determine whether you’re adequately insured.

I’d rather be over-insured than underinsured in the cyber area. Pricing, by the way, has moderated over the past six months or so, so hopefully that would be not too much of an impediment to getting coverage. You would want to know that. You would also want to take a look at some exclusionary language in the policy. For example, I just spoke about how there’s oftentimes coverage for allegations of wrongful collection and use of protected information. There may be an exclusion in the policy that would apply to that type of wrongful collection. So you’d want to make sure, and again, work with your Embroker and look for those types of things. But for everybody across the board, I would make sure that I am aware of and that I include in my incident response plan, which hopefully everybody has your cyber incident response plan, how you would provide notice to your insurer or your Embroker if you do have an incident, and whether you are required to use panel professionals to respond to any such incident or to defend you in a lawsuit if you had one.

Molly Ranns:

Judy, some insurance carriers are direct, right? Carriers that don’t work through agents and others are agent driven. When you’re selecting an agent and a carrier for cyber insurance, what factors should lawyers and law firms really consider?

Judy Selby:

Well, one thing I would do is ask around if you have friends at other law firms, ask them if they have coverage and ask them if they’ve ever had a claim under their insurance policy and how that claim was dealt with. They were happy with that. I would talk to various brokers, ask them how many cyber insurance policies they have helped to have issued, how they deal with claims, what are their thoughts as to the best coverage and the carriers who are responding well to claims, things of that nature. What you’re looking for here is experience and not somebody who is just Googling cyber insurance online. So I would look for very experienced professionals in this space, particularly people with experience in the legal space, in the law firm and professional services space, because the issues there are different. When you think about law firms in particular, law firms are oftentimes aggregators of the most sensitive information from a whole slew of other companies.

The information that you’re getting in connection with deals or in connection with litigation, they’re holders of lots of information from lots of different sources, which makes law firms makes them a particularly attractive target for the bad guys out there. So you’d want to work with people who really specialize in this space. I think that’s key. It’s also important to keep in mind, and I would ask about this as well, which cyber insurers provide proactive type of risk management services to their insureds, either for free or at a discount where you might get an hour or two to work with an incident response law firm to help you set up your incident response plan and walk through it with you, conduct a tabletop exercise to make sure that you know what to do if God forbid you have an incident, you don’t want to go through that for the first time, that exercise for the first time when you have an actual incident, they may provide services around doing some type of a risk assessment or something like that, so that could be a differentiator in the marketplace as well. But I would definitely focus on companies with experience with law firms and lawyers, and I would ask questions about how many claims they’ve had, how they’ve dealt with those claims, if people were happy with the coverage and the claims handling that they received. In those circumstances,

JoAnn Hathaway:

Judy, coordinating coverage across policies is key, and many lawyers contend they have cyber insurance endorsed on their lawyer’s professional liability policy typically referred to as malpractice insurance, and as a result, they don’t need a standalone cyber insurance policy. So what are your thoughts on this and how can lawyers effectively assess their policy and coverage needs?

Judy Selby:

And they may, JoAnn, they may have an endorsement. I’ve never seen endorsed cyber coverage. That’s as broad as the coverage you get under a standalone cyber insurance policy, so that’s an important consideration. Now, that’s just what I’ve seen. I can’t claim to have seen everything out there or even close to that, but that’s one thing that I would look at and be aware that if you get an endorsement with some cyber coverage under LPL policy, is that coverage as broad as what you might get elsewhere and are the limits as high if you have certain limits for your malpractice policy based on your firm’s history and your risk profile, are those limits also going to be enough to cover any potential cyber and privacy exposures that you have? You want to make sure that you take that into account when you are buying that policy.

So are you going to burn all your LPL coverage if you have a cyber incident or vice versa? So you would want to be very, very careful about that. As I was saying earlier, the key difference is the coverage that’s being provided. Is it going to provide those first party coverages that I spoke of before, they’re going to provide all of the same liability coverage and the business interruption types of coverages? Sometimes they don’t. So you would want to look for that. Are they going to provide the cyber crime type of coverages or is there a separate cyber crime type of endorsement to the policy? Those are the types of questions I would be asking and the types of issues I would be studying without any type of cyber coverage endorsed to the policy though, I don’t think the first party coverages would be there at all, so maybe you might have some coverage if you were sued, but query whether that would be within the scope of coverage under your LPL coverage, kind of protecting data and those things. Would that come within the coverage of that policy? You might just be creating issues for yourself if you don’t get at least the cyber insurance endorsement, but I would take a very, very hard look, especially today at a standalone cyber policy to provide really comprehensive cyber and privacy coverage.

JoAnn Hathaway:

Well, this has been so enlightening, but it does seem that we have come to the end of our show and we would like to thank our guest today, Judy Selby for a wonderful program.

Judy Selby:

My pleasure, JoAnn. Thanks for having me. If anybody wants to get in touch with me of my information’s on the Kennedy’s website, feel free to connect with me on LinkedIn constantly posting content about cyber insurance and these types of issues. In case that’s helpful,

Molly Ranns:

Judy, it sounds like if listeners would like to follow up with you, they can find you on LinkedIn, and would you mind noting the website that they can find you on through Kennedy’s?

Judy Selby:

Yes, it would just be www kennedys law.com.

Molly Ranns:

Wonderful. Thank you again for joining us today.

Judy Selby:

My pleasure.

Molly Ranns:

This has been another edition of the State Bar of Michigan On Balance Podcast.

JoAnn Hathaway:

I’m JoAnn Hathaway.

Molly Ranns:

And I’m Molly Ranns. Until next time, thank you for listening.

Announcer:

Thank you for listening to the State Bar of Michigan On Balance Podcast, brought to you by the State Bar of Michigan, and produced by the broadcast professionals at Legal Talk Network. If you’d like more information about today’s show, please visit legal talk network.com, subscribe via Apple Podcasts and RSS, find the State Bar of Michigan and Legal Talk Network on Twitter, Facebook, and LinkedIn, or download Legal Talk Network’s, free app in Google Play and iTunes. The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Legal Talk Network or the State Bar of Michigan or their respective officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.