THE SKY IS FALLING
Since cyberinsurance came on the scene, law firms have fretted about the rising costs. Through most of 2021, prices increased by 30–40%. But according to global insurance company Marsh, the price of cyberinsurance in the U.S. grew by a stunning 130% in the fourth quarter of 2021.1 Commercial insurance, by contrast, rose only 13% during that same period. Cyberinsurance carriers will say the market was undervalued to begin with, and the increases are value adjustment corrections.
Insurance companies often have reinsurance policies they buy to protect themselves from steep claims — and the price of reinsurance has increased as well, further spooking insurers, some of whom have withdrawn from offering commercial policies and shrinking the marketplace. Basically, we’ve been watching a train wreck in cyberinsurance with no end in sight.
IS THIS ALL ABOUT RANSOMWARE?
Yes, pretty much. London-based insurer Beazley has said that prices will increase as claims, especially ransomware claims, increase.2 The financial impact has been so severe that some insurance companies have decided simply to stop offering cyberinsurance.
Others have taken draconian measures. The Register, an online technology news publication, reported in November 2020 that Lloyd’s of London may no longer extend insurance coverage to companies affected by acts of war.3 The insurer’s cyberwar and cyberoperation exclusion clauses include an alarming line suggesting policies should not cover “retaliatory cyberoperations between any specified states” or cyberattacks that have “a major detrimental impact on ... the functioning of a state.”4
Lloyds published four different clauses as suggestions for insurers in policies it underwrites, and it seems likely that some insurers will adopt some of those clauses. Wrote The Register: “The policy clauses also raise the idea of insurance companies attributing cyberattacks to nation states in the absence of governments carrying out attribution for specific incidents, an idea that seems extremely unlikely to survive contact with reality.”5
Truer words were never spoken. This would be, as our British friends would say, a bloody mess. Nation-state attacks are common, and the line between a Russian state attack and an attack by ransomware gangs harbored by Russia, for example, could get very blurry.
INCREASED PREMIUMS AND DEDUCTIBLES, DECREASED COVERAGE
Read that bold text above again, because that’s what you’ll face when renewing your cyberinsurance coverage. Take a close look at the exclusions because they may have expanded significantly and paying a hefty increase in premiums may be buying much less than you think.
Exclusion clauses now often include acts of war, failure to maintain standards (more on that later), payment card industry fines and assessments, and prior acts. Prior acts exclusions prevent claims for activity that took place before the retroactive date or the first date of a policy. This exclusion is important because data breaches are often not detected until long after they occur.
A New Jersey judge in January ruled on an acts of war exclusion lawsuit.6 The case dealt with the 2017 Russian cyberattack on Ukraine known as the NotPetya attack, which impacted U.S. businesses including pharmaceutical giant Merck.
Merck filed a claim with its insurer, claiming it incurred $1.4 billion in damages. The insurer denied coverage based on the acts of war exclusion. Merck sued. The judge ruled that the insurer can’t claim the act of war exclusion because the language in the policy applied to traditional forms of warfare, not cyberattacks. The insurer was required to pay the claim to Merck.7
You can be sure insurers are altering that kind of exclusion.
FAILURE TO MAINTAIN SECURITY STANDARDS: AN ESCAPE ROUTE FOR INSURERS
A typical day in the office includes a call from a worried lawyer telling us the firm has received a 20-page cybersecurity application form with questions no one really understands. Managing partners have a sinking feeling that they can’t truthfully answer the questions the way the insurance company wants them to.
No question about it — insurers now have a long list of questions designed to help them deny claims if you don’t keep up with required security measures. The language of a “failure to maintain standards” exclusion varies widely.
Ask insurers to remove any ambiguous language in a cyberpolicy to ensure that the standards are clear. Does the insurer require use of basic controls like encryption or multifactor authentication (MFA)? Do they specify MFA methods that are acceptable or is the MFA question silent on the type, therefore allowing you to implement short-message service (SMS) text messages which are subject to swapping attacks? Are there specific regulatory obligations required for compliance? Does the insurer require periodic training, testing, or upgrades in technology during the policy period?
How much room is there for negotiation? In our experience, not much. Presumably, insurance companies have qualified cybersecurity experts helping them design the required security standards, but we’ve seen many standards which do not indicate a deep understanding of cybersecurity or reasonable ways to reduce risk.
Nonetheless, it is almost a take-it-or-leave-it proposition from the insurer’s point of view. Our own prominent insurance company wrote these words:
“If we do not hear back from you by 02/24/2022 or unacceptable answers are received to these questions, we will need to send notice of non-renewal for the Professional/Cyber policy.”
Charming after decades of loyalty to an insurer without a single claim, isn’t it? We’re not alone; this scenario is being repeated at law firms of all sizes.
HOW DO LAW FIRMS PROTECT THEMSELVES?
It remains to be seen whether cyberinsurance companies will mandate so many exclusions, copays, and deductibles that their policies aren’t worth purchasing. As it is, 64% of small and medium-sized businesses do not have cyberinsurance coverage, according to an August 2021 report by data firm Statista.8
Too many law firms are buying insurance and thinking, “We are good to go now.” That’s a mistake. We need to change that mindset. Cyberinsurance is fine if you can find good insurance at a reasonable price, but proactive security is critical to law firms and often underemphasized.
Get a security assessment from a reputable cybersecurity firm — for a reasonable flat fee, you should be able to get an assessment that includes a detailed report of critical vulnerabilities to be addressed immediately, medium vulnerabilities you can take a little time to budget for, and minor vulnerabilities that can be dealt with later.
If you have been avoiding MFA, stop. It may be a minor nuisance, but it is usually free and very effective. If you don’t have technology to monitor and respond to cyberattacks, you’re asking for a breach. If you haven’t implemented Zero Trust architecture, a network defense that, at its core, is based on the premise of trusting no one,9 don’t wait to embark on that inevitable journey.