In the wake of the June cyber attack in which international law firm DLA Piper was almost brought to a standstill by a variant of Petya ransomware, many law firms are looking into cyber insurance. But as with any insurance policy, you need to be aware of what is and is not covered, and what to look for in a cyber insurance policy.
Walter Andrews, head of Hunton & Williams’ insurance litigation and recovery service, has a few tips about cyber insurance. Andrews has 30 years of experience in insurance-related issues. He has spent thousands of hours reviewing cyber insurance policies and helping clients find gaps in their coverage.
Law firms, like other businesses, need to prepare for cyberattacks not only with technology but financially—with a useful insurance policy, Andrews recently told LegalTech News. Unfortunately, many of those who have cyber insurance discover too late that their policies are not that useful.
Cyber insurance is a very new product and buyers don’t understand what is and is not covered, Andrews said, and right now he’s seeing huge gaps in the coverage that is provided. “Those who are insured may need to get an endorsement to their policy or get different coverage so that there is coverage for the risks that we’re now seeing. You’ve got to make sure that there is full coverage for all the known and unknown risks.”
There are many insurance policies that say they include cyber insurance coverage that don’t’ really do so because they typically only provide coverage for threats to firms’ data or systems, and not ransomware. And even most of those policies that do cover ransomware attacks require prior approval before a ransom is paid, rather than a reasonable basis test.
“Ask for a policy that accepts a reasonable basis test, rather than pre-approval,” Andrews advised. “And see that it does not require that the problem be a threat in the future—that it also applies when you need to do something that has occurred.”
Also make sure that the policy includes all employee devices, including laptops and phones because employees working at home or on the road face greater risks of phishing attacks, which can provide an “in” to get ransomware on law firms’ systems.
A good policy should also cover hiring a forensic investigator and a law firm to advise you whether there has been a breach. The policy should also cover any breach of the system, not the typical vaguely worded “failures of the system.”
Finally, “The policy needs to be discovery-based, not occurrence based,” Andrews said. “You don’t want a cyber insurance policy that is occurrence-based because you don’t know when the breach occurred in many cases, and the breach may occur years before it is discovered and before the policy. You need to make sure you have the right timing trigger for that coverage.”
Ultimately, what it comes down to is that cyber insurance is a new realm of coverage and many policies have gaps in coverage that could end up costing law firms millions of dollars. It’s important to have a skilled and experienced insurance broker or law firm to advise you on appropriate coverage for your firm’s needs.
Post a Comment