By Legal Futures’ Associate CTS
Law firms have more to lose from cyber security breaches than most types of business, because handling sensitive and confidential information for clients is so central to what legal professionals do. That’s why increasing numbers of firms are taking out specialist cyber insurance policies.
Our view is that cyber insurance may well be worthwhile, but it can only ever be a complement to advanced cyber security measures – never a replacement. Here’s why…
Blame, but no claim
One problem law firms face is that the insurance industry is changing rapidly. According to Mactavish, the UK’s leading experts on insurance governance: “Insurers’ approach to large claims has changed…in ways which create significant challenges for policyholders”. They blame “the combination of aggressive cost cutting… increased focus on off-the-shelf solutions and demanding new legislation.”
Mactavish reports that 45% of cyber policy claims are disputed, the average dispute resolution time is just under 3 years, and when disputed settlements are paid out, they average just 60% of the amount claimed. Worrying figures for firms relying on insurance to cover the cost of cyber security breaches.
If there’s one piece of advice every lawyer understands it’s “read the small print”, and as Mactavish puts it, “like many forms of business insurance, cyber losses and cyber policy wordings can be highly complex.” Many cyber insurance policies include onerous conditions relating to encryption, or language that removes cover if the insured firm fails to patch, update, upgrade or test software. Firms operating legacy systems, such as servers or applications that are no longer supported, need to be very careful of exclusions on their policy.
Don’t neglect negligence
A particular issue is that cyber insurance policies are often worded to exclude anything that could be attributed to professional negligence. This means that, for many types of cyber breach, the policy will only kick in once the firm’s Professional Indemnity Insurance (PII) limit has been exhausted.
The excessive cost of excess
Even when the cyber policy wording allows a claim to be made, the excess on cyber policies can be up to £10,000. If your firm suffers 3 losses in a year, each worth £9,000 (which is quite feasible as cyber security breaches proliferate) that amounts to a £27,000 loss that cannot be claimed back.
Policies can leave you out of pocket
Insurance is often on a reimbursement basis so the cost of a remediating a cyber breach is borne by the firm until the claim is paid out. This means the firm has to manage, pay for and coordinate the incident response before the insurer confirms its intention to pay out. Even if their insurance policy does cover incident response, the firm will still need to wait until their insurer decides whether something is covered before handling it, which can cause delays in response time.
Cover for downtime and other costs related to the incident also vary greatly from policy to policy. Very few policies cover the full amount of revenue lost following a cyber event, in fact the best you can hope for is to claim back the gross profit. All cyber policies also include a time excess – typically you’ll have to suffer 12 hours of downtime before starting to claim for loss of earnings. Finally, the cost of improving the IT security shortcomings that allowed the breach to happen are unlikely to be covered.
More to lose than just money
Cyber policies cover cyber events in the narrowest possible terms. Hard to quantify consequences such as loss of intellectual property, reputational damage and diminished client trust can threaten the firm’s very future – and cannot comprehensively be covered.
The conclusion? A solid cyber security strategy is essential, given the limitations of cyber insurance policies explored in this article.
Having the capability to rapidly detect and eliminate threats not only minimises your firm’s risk, but will reduce the cost of your cyber insurance policy. Find out more about how to accelerate your firm’s response to cyber threats.