Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Law firms looking into cyber insurance

Reprints
Law firms looking into cyber insurance

Alarmed by their vulnerability to everything from sophisticated hacking to the hapless attorney who attaches the wrong spreadsheet to an email, law firms are turning to new must-have coverage: cyber insurance.

In the past few years, the biggest firms have purchased policies to cover the costs of a data breach: notifying clients or employees, conducting a forensic investigation and, if necessary, writing checks to plaintiffs or regulators.

Now midsize and small firms are eyeing the policies, too.

But without a major claim by a law firm against a cyber insurance policy, attorneys shopping for coverage are left with what Matthew Price, associate general counsel at Milwaukee-based Foley & Lardner L.L.P., calls “the real $64,000 question, which is: How much is enough?”

The answer to that question varies from firm to firm, says Kari Timm, an attorney who specializes in cyber and privacy liability in the Chicago office of insurance boutique BatesCarey. Insurers base underwriting decisions on both a firm's size, as measured by the number of employee and client records it maintains, and its practice areas. Mergers and acquisitions are attractive hacking targets because of their access to sensitive information. Firms with health care clients can be at risk because of their potential access to records protected by privacy laws.

A survey of insurance claims information in 2014 by NetDiligence, a Philadelphia-based cyber risk assessment company, found 10 percent of the claims originated in the professional services industry, compared with financial services and health care, which together generated almost half the claims. The median cost for a claim in the professional services industry was $230,000. But Attorneys' Liability Assurance Society Inc., a Chicago-based mutual insurance company for some of the largest law firms in the country, was not included in the survey.

Moreover, there's no consensus yet among insurers as to what, if anything, is covered by a law firm's professional liability policy — the insurance that pays out when a lawyer is sued for malpractice. In August, Attorneys' Liability issued a memo outlining what expenses its standard professional liability policy would cover and introducing a new product that would limit firms' cyber risk to $250,000. Foley & Lardner has had cyber insurance for several years now, Mr. Price says, but for firms without it, the memo “underscored how big of a deal it is now.”

When cyber insurance first became available seven years ago, law firms operated on a three-year sales cycle, says Regan Miller, a managing director specializing in law firms at Houston-based broker Wortham Insurance. The first year was to see the broker's presentation, the second year to build the premium into the budget, third year to buy. Now, often spurred by client requests, they ask to buy coverage starting the next month, she says.

In the news

Lawyers also appear to be reading the news: Cyber insurance sales at Chicago-based BigData Insure L.L.C., which targets firms with 50 or fewer lawyers, shot up in the fourth quarter of 2014 following high-profile data breaches at The Home Depot Inc. and Sony Pictures Entertainment Inc., says Michael Flanagan, director of sales and marketing.

Large firms might spend between $40,000 and $75,000 annually for $5 million to $10 million in coverage, while small firms might pay $3,500 to $7,500 for a $1 million to $5 million policy. “We always see the trickle-down effect,” Ms. Miller says. “Once the large firms do it, then the medium-sized do it.”

Some firms that bought cyber insurance policies a few years ago now are searching for better deals. Sonia Menon, chief operating officer at Neal Gerber & Eisenberg L.L.P. in Chicago, says the firm bought stand-alone coverage at least two years ago but is considering adding more. Insurance carriers that once refused to cover data breaches resulting from a lost laptop now will do so, she notes. As the carriers chase new business, lawyers and brokers predict the competition over what problems policies will cover will extend to premiums.

Fast-changing market

Mr. Price says Foley & Lardner reviews its coverage more frequently than its other types of business and professional insurance. With the market changing so rapidly, “to be stagnant would not be in our interest.”

Even the companies that run professional development courses for lawyers are capitalizing on the profession's focus on cyber insurance. Mark Ferguson, general counsel at litigation boutique Bartlit Beck Herman Palenchar & Scott L.L.P. in Chicago, says the firm purchased cyber insurance a couple of years ago. He has noticed an uptick in management courses promising to educate attorneys on how to protect against the risks associated with a data breach. “Five years ago, I don't remember seeing a 'cyber liability for law firms' seminar, and now I think I see one every couple of months,” he says.

Claire Bushey writes for Crain's Chicago Business, a sister publication of Business Insurance.

Read Next