When it comes to cyber and professional liability exposures, law firms can’t afford to assume that a professional liability policy is enough to cover all the bases. It’s important to utilize the right coverage needed to address different areas of risk. However, despite growing cyberattacks, many law firms still don’t carry cyber insurance or wrongly assume that their first line of defense against cyber and phishing losses is their Lawyers Professional Liability (LPL) policy.
Law firms are included in the small group of professions in which there is a duty to care to protect confidential client information. The LPL policy has historically responded to a breach of confidentiality stemming from any reason, including cyber and phishing attacks. But it’s not able to respond to first-party costs such as breach notification, data recovery, or forensic analysis. While some law firm policies have added cyber enhancements, most are actually limitations of the coverage for breach liability. This often shows up in the form of sublimits and narrower coverage than what the LPL policy already provides, even though these endorsements do add some limited first-party coverage.
WHY DOES A LAW FIRM NEED A STAND-ALONE CYBER POLICY?
Because law firms routinely deal with sensitive and valuable confidential corporate information, they make tempting targets for ransomware demands and other cyberattacks. According to the American Bar Association’s 2022 Tech Report, 27% of respondents’ firms had experienced a security breach at some point, including lost or stolen computers or smartphones, but just 46% of respondents’ firms had cyber liability insurance in place.1 The average ransom payment exceeds $812,000, security firm Sophos reports, and many organizations are paying ransoms of $1 million or more.2 At the same time, the average cost of a data breach in 2022 soared to $9.44 million in the U.S., up from $9.05 million in 2021, and more than double the global average of $4.35 million, according to IBM.3,4,5
To ensure they have adequate cover in place and prevent confusion around cyber incident response, it’s best for law firms to purchase both stand-alone cyber coverage and LPL so that the right policy has the opportunity to respond in the event of a claim. A cyber policy is broader and able to provide both liability coverage and first-party coverage for breaches of confidential information as well as data recovery/forensics, cybercrime, and notification costs. Because LPL coverage is often considered the most valuable for protecting the law firm’s livelihood, many law firms prefer utilizing another policy to respond to cyber claims first. This allows the LPL policy to provide full limits for any privacy law liability damages in the event of a breach of confidential information. Any cyber liability sublimit could impact what should be an LPL wrongful act subject to full policy limits. Organizing the coverages correctly means that full limits from both the LPL and cyber policies are available in the appropriate instances. Knowledgeable brokers who understand both the legal field’s risks, the forms of coverage available, and each policy’s details can properly tailor coverage to fit a law firm’s unique risks, helping to structure an insurance program that optimizes both cyber and LPL coverage.
HOW CAN A LAW FIRM COORDINATE CYBER & LAWYERS PROFESSIONAL POLICIES FOR MAXIMUM BENEFIT?
When working to optimize coverage for legal professionals, retail agents should make sure the LPL policy includes no cyber exclusion or any cyber coverage add-on that could interfere with the liability protection already available under an LPL policy. This is important because the LPL policy could become excess on top of the cyber policy for a covered liability claim that breaches the cyber policy limit. It’s also wise to ensure the cyber policy is primary coverage and goes first in the event of a breach of confidential information. Cyber policies can also respond to breaches of information not on a computer, so agents must make sure that coverage is fully understood.
When a claim does occur, the claims handling for the LPL policy is typically not going to offer the same capabilities that a dedicated cyber policy does, specifically around how and when to respond in a specific scenario. The cyber policy’s claims group will have a different set of relationships in regard to vendors for breach response, notification, and crisis management. The cyber claims handling group is also likely better prepared and equipped to consult with an insured about how to handle a variety of issues, including how to address a phishing incident that turns into a ransomware/ extortion event.
When it comes to a well-rounded insurance program, law firms should have adequate and dedicated coverage that responds appropriately to cyber risks as well as professional liability needs. Coverage should be tailored to avoid any potential overlaps or grey areas that may cause confusion. Given the rising financial costs and reputational damage associated with cyber and phishing attacks, law firms need a dedicated, stand-alone cyber policy that will respond quickly and effectively to address breach response costs as well as any ensuing reputational damage. Brokers with deep experience in both cyber and LPL risks can help structure optimal programs to keep law firms covered. Contact your local CRC Group producer today to learn how we can help your clients make sure they have the right coverages in place.
- Greg Wagner is a Broker with CRC Group’s Dallas office and a member of the ExecPro Practice Group. He specializes in Professional and Cyber Liability.
- Lori Wheeler, a Broker with CRC Group’s Dallas office, specializes in professional liability exposures and is a member of the ExecPro Practice Group.
- Jason White is the Managing Director & National Practice Leader for CRC Group’s ExecPro Practice Group.
- 2022 Cybersecurity, American Bar Association, Nov. 29, 2022. https://www.americanbar.org/groups/law_practice/publications/techreport/2022/cybersecurity/
- Ransomware hit 66% of organizations surveyed for Sophos’ Annual State of Ransomware 2022, April 27, 2022. Sophos, Press Release, https://www.sophos.com/en-us/press/press-releases/2022/04/ransomware-hit-66-percent-of-organizations-surveyed-for-sophos-annual-state-of-ransomware-2022
- IBM Report: Cost of data breach hits record high during pandemic, IBM, Press Release, July 28, 2021. https://newsroom.ibm.com/2021-07-28-IBM-Report-Cost-of-a-Data-Breach-Hits-Record-High-During-Pandemic
- IBM Report: Consumers pay the price as data breach costs reach all-time high, IBM Press Release, July 27, 2021. https://newsroom.ibm.com/2022-07-27-IBM-Report-Consumers-Pay-the-Price-as-Data-Breach-Costs-Reach-All-Time-High
- Security Intelligence, What’s New in the 2022 Cost of a Data Breach report, IBM, July 27, 2022, https://securityintelligence.com/posts/whats-new-2022-cost-of-a-data-breach-report/
- Law Firms in the US – Number of Businesses 2003-2029, IBIS World, January 10, 2023. https://www.ibisworld.com/industry-statistics/number-of-businesses/law-firms-united-states/#:~:text=There%20are%20449%2C633%20Law%20Firms,increase%20of%200.7%25%20 from%202022
- Cyberattacks 'Inevitable' for Law Firms, Highlighting Need for Comprehensive Incident Response Plans, The American Lawyer, January 10, 2023. https://www.law.com/americanlawyer/2023/01/10/cyberattacks-inevitable-for-law-firms-highlighting-need-for-comprehensive-incident- response-plans/?slreturn=20230304122800#:~:text=In%202020%2C%20law%20firm%20data,data%20was%20compromised%20in%20 2021