stay connected facebook twitter blog.thomsonreuters.com YouTube LinkedIn
THOMSON REUTERS ELITE
Forefront eNewsletter

ISSUE III 2019

What Your Law Firm's Cyber Insurance Doesn't Cover

Law firms have more to lose from cybersecurity breaches than most types of businesses, because handling sensitive and confidential information for clients is so central to what legal professionals do. That's why increasing numbers of firms are taking out specialist cyber insurance policies.

Our view is that cyber insurance may well be worthwhile, but it can only ever be a complement to advanced cybersecurity measures—never a replacement. Here’s why…

Blame, But No Claim

One problem law firms face is that the insurance industry is changing rapidly. According to Mactavish, the UK's leading experts on insurance governance: “Insurers’ approach to large claims has changed ... in ways which create significant challenges for policyholders". They blame "the combination of aggressive cost cutting ... increased focus on off-the-shelf solutions and demanding new legislation.”

Mactavish reports that 45% of cyber policy claims are disputed, the average dispute resolution time is just under three years, and when disputed settlements are paid out, they average just 60% of the amount claimed. These are worrying figures for firms relying on insurance to cover the cost of cybersecurity breaches.

Complex Wording

If there's one piece of advice every lawyer understands it's "read the small print," and as Mactavish puts it, "like many forms of business insurance, cyber losses and cyber policy wordings can be highly complex.” Many cyber insurance policies include onerous conditions relating to encryption or language that removes cover if the insured firm fails to patch, update, upgrade, or test software. Firms operating legacy systems, such as servers or applications that are no longer supported, need to be very careful of exclusions on their policy.

Don't Neglect Negligence

A particular issue is that cyber insurance policies are often worded to exclude anything that could be attributed to professional negligence. This means that, for many types of cyber breach, the policy will only kick in once the firm's Professional Indemnity Insurance (PII) limit has been exhausted.

The Excessive Cost of Excess

Even when the cyber policy wording allows a claim to be made, the excess on cyber policies can be up to £10,000. If your firm suffers three losses in a year, each worth £9,000 (which is quite feasible as cybersecurity breaches proliferate), that amounts to a £27,000 loss that cannot be claimed back.

Policies Can Leave You Out of Pocket

Insurance is often on a reimbursement basis, so the cost of remediating a cyber breach is borne by the firm until the claim is paid out. This means the firm has to manage, pay for, and coordinate the incident response before the insurer confirms its intention to pay out. Even if its insurance policy does cover incident response, the firm will still need to wait until its insurer decides whether something is covered before handling it, which can cause delays in response time.

Cover for downtime and other costs related to the incident also vary greatly from policy to policy. Very few policies cover the full amount of revenue lost following a cyber event. In fact, the best you can hope for is to claim back the gross profit. All cyber policies also include a time excess—typically you'll have to suffer 12 hours of downtime before starting to claim for loss of earnings. Finally, the cost of improving the IT security shortcomings that allowed the breach to happen are unlikely to be covered.

More to Lose Than Just Money

Cyber policies cover cyber events in the narrowest possible terms. Hard-to-quantify consequences such as loss of intellectual property, reputational damage, and diminished client trust can threaten the firm's very future—and cannot comprehensively be covered.

Prevention Pays

The conclusion? A solid cybersecurity strategy is essential, given the limitations of cyber insurance policies explored in this article.

Having the capability to rapidly detect and eliminate threats not only minimizes your firm’s risk, but will reduce the cost of your cyber insurance policy. Find out more about how to accelerate your firm’s response to cyber threats.

Download the whitepaper from CTS here.
 

CTS

CTS is one of the leading cloud and managed IT providers for law firms. CTS provides a secure, fully-managed cloud infrastructure service which is used by innovative law firms throughout the UK every day to drive productivity, enable flexible working and boost growth. Click here for more information.

 
 
Back to front page   |   Contact Forefront