An unfortunate reality of 2022 is that law firms are high-profile targets for cyber criminals. In fact, 25 percent of law firms have disclosed that they have suffered some type of cybersecurity breach. Law firms are aggregators of their clients’ most sensitive information, including documents at issue in litigation and commercial transactions (such as mergers and acquisitions), and confidential information such as trade secret documentation. Given the high stakes posed by the custodial nature of the practice of law, more and more firms look to cyber insurance for financial and tactical support in the event of a cyber or privacy incident.
The Financial Impact of Cyber/Privacy Events
It is now common knowledge that cyber and privacy events are costly. This is particularly true for law firms, which may face added complications, including damage to their reputation and potential violation of ethical rules. Surveys show that the costs associated with breach events are only growing. A 2021 IBM report found the average cost for data breaches was $4.24 million. The $4.24 million average was broken down into four categories: (1) detection and escalation ($1.24 million); (2) notification ($0.27 million); (3) post-breach response ($1.14 million); and (4) lost business cost ($1.59 million). Additionally, the IBM report found that the average time to locate and contain a breach was 287 days, which is a long time to have a threat actor in your system or handling your data.
The IBM report also found that the average cost to respond to cyber events in the United States far exceeded that of all the nations IBM surveyed, totaling $9.05 million. While many sectors suffer from these attacks, health care facilities were the costliest industry surveyed, with an average cost of $9.23 million. Nevertheless, law firms are far from immune to the threats of cyber security breaches. The IBM report found that the services sector, which includes professional services such as legal, accounting, and consulting firms, spent an average of $4.65 million in 2021 on data breach events, up from $4.23 million in 2020. The American Bar Association surveyed law firms about cyber security breaches and their impacts. The survey found that 29 percent of the firms surveyed suffered a virus or infection in their system. Thirty-six percent of law firms surveyed by the ABA reported downtime or loss of billable hours as a result of a breach event. Further, of the law firms surveyed, 13 percent reported files were destroyed and 18 percent required hardware or software replacement.
How Cyber Insurance Can Help
Cyber insurance can provide a lifeline to firms impacted by a cyber incident, especially for small and midsize firms that lack the in-house expertise and financial resources to respond to an event.
While there are no standard cyber insurance policies, cyber policies are typically are broken down into the following parts:
First Party: First-party coverage typically applies to costs the insured itself incurs as a result of a covered incident. Perhaps the most important first-party coverage is for incident response services, which includes retention of legal counsel, computer forensic specialists, notification firms, and public relations specialists to manage the incident on behalf of the insured.
Cyber extortion coverage applies to costs related to expert ransom negotiators, ransom payments, legal counsel, and other costs associated with the resolution of an extortion event.
Data recovery costs apply to expenses to re-access, restore, rebuild, and to a limited extent, replace data impacted by a cyber event.
If an insured’s business operations are impacted by a cyber event, business interruption coverage may be triggered. Recovery of business income losses may be subject to an uninsured “waiting period” of a specific number of hours or days. Although income losses often must be calculated by a forensic accountant, those fees often are covered by cyber policies.
Third Party: Third-party coverages apply to costs for defending claims by third parties related to a cyber or privacy incident, including defense costs, settlements, and judgments. This coverage may be triggered by consumer class action lawsuits arising from a data breach or alleged misuse of personal information.
Regulatory: Many cyber and privacy incidents implicate regulatory reporting requirements. If a regulatory investigation is instituted, an insured will often receive a notification letter that lists specific documents and evidence the regulator requires to evaluate the incident. Cyber policies may cover the costs to comply with the regulator’s requests, including costs to retain counsel to ensure the proper response to the requests is provided. Fines, fees, and consumer redress expenses may also be covered, depending on the policy’s wordings and applicable law.
Policy Conditions and Requirements: An insured law firm’s work is not finished when it purchases a cyber policy. To avoid missteps, it is important for the insured to carefully review the policy to understand all policy conditions and requirements. For example, the policy likely has specific instructions concerning when and how a claim must be reported to the insurer. Policies also may contain prior written consent requirements concerning the payment of any costs, including a ransom payment, and the engagement of law firms and other service providers to assist in responding to an incident. Many insurers have approved panels of law firms and service providers that generally must be used by an insured when responding to an incident or claim. Because failure to comply with policy requirements could jeopardize coverage, insureds should take steps to operationalize their policy obligations.
Practical Considerations When Submitting a Claim Under a Cyber Policy
It’s important for insured firms to understand in advance exactly how to submit a claim under their cyber policy. While it may sound like a simple task, the evaluation of what information may be necessary to submit to the insurer may be somewhat complex, depending on the nature of the event. Generally, however, insureds should provide as much information about the event as possible to allow the insurer to adequately analyze the situation. That sounds easy (and evident) enough, but often at the very initial stages of a cyber event, the insured knows little about what has occurred. Consequently, as the investigation unfolds, the insured likely will have to submit additional information to the insurer on a continual basis.
When preparing a claim submission, think about the elementary “W” questions to provide the most important and helpful information to the insurer to expedite resolution of the claim:
- Who: Who has potentially accessed your data? Who is the source of the potential breach? Who has brought, or is likely to bring, claims against you?
- What: What data (and whose if personal and protected information is involved) was accessed, breached, encrypted, or exfiltrated?
- When: When did the event begin and/or when and how it was first detected? Does the threat actor still have access to your system?
- Where: Where or how did the incident occur? Did it involve the law firm’s own network or that of a service provider, such as an eDiscovery vendor? Did it initiate through phishing emails, a malware link, or inadvertent disclosure?
- Why: Why are you reporting the breach or potential breach? Are you seeking vendors, coaches, guidance, reimbursement, litigation counsel, providing a notice of circumstance, a regulatory investigation, or a lawsuit? What do you immediately need from the insurer?
While it is tempting to wait until more is understood about the event and surrounding circumstances, this is not a suitable strategy for anyone involved. The earlier your insurer—and therefore the vendors needed to address the issue—is involved, the more efficient the process will be. And as noted, the cyber policy may have prior written consent and panel requirements applicable to hiring lawyers and other vendors.
Next, be ready to respond the insurer’s follow up questions. To expedite resolution of the claim, it is important to respond to these requests in a timely manner. Remember, the information provided at the initial stages can help the insurer determine the best vendors to retain and the best steps to take to resolve the event.
Providing the insurer with clear, thorough information will allow the process to begin smoothly and will allow for more targeted assistance for the insured. Finally, if you do not understand something such as why something is happening, how the information is necessary for the insurer, or how resolution will be achieved, be sure to ask!
About the Authors:
Judy Selby is a partner and Jennifer DeVlugt is an associate at Kennedys Law LLP, where they focus on insurance coverage and related matters.