Spring 2020 Gavel 268650 SBAND Gavel Magazine_web | Page 32

Managing Cyber Risk:
Is cyber liability insurance
important for law firms?
By Mark Lanterman
Cyber liability insurance policies are growing in popularity among
organizations that store client data, but in my experience those
who have them are probably just as confused about what they cover
as those who decide to go without. Generally described, cyber
liability insurance is meant to protect businesses and organizations
from cybersecurity risks posed by their internet and technology
infrastructures.
As we know, cybersecurity risks are multifaceted, and damages often
cannot be accurately quantified or fully described by those affected.
Several categories of incidents may be considered types of cyber
risk, ranging from natural disasters that cause technological failure
to internal theft to phishing scams. How can this type of insurance
policy a) assess the value of data compromised or b) assess current
and ongoing damages with any certainty? When federal laws and
regulations are inconsistently applied and enforced, should cyber
liability insurance be a requirement for organizations, specifically
law firms, that create, collect, and store client data? And how should
organizations respond if widespread regulations are ultimately put
into place? In this article, I will examine the elements of cyber
risk, the role of the security assessment in coverage offerings, and
insurance as part of a proactive security approach.
Defining Cyber Risk
To start, it should be noted that probably the greatest problem
currently facing the cyber insurance market is what exactly
constitutes “cyber risk.” There is often a disconnect between what the
insurer would describe as cyber risk and what the insured believes
to fall under that category. According to the Institute of Risk
Management, cyber risk “means any risk of financial loss, disruption,
or damage to the reputation of an organization from some sort
of failure of its information technology systems.” This broad
definition remains open to a number of interpretations involving
what constitutes failure of IT systems, where the human element
of security comes in, and the scope of damages. The breadth of this
definition and the possible categories of risk included leave a lot of
room for argument between insurers and insureds.
It should be noted that there are different types of client data that
deserve different degrees of protection from cyber risk. The varying
risks include but are not limited to business interruption, identity
theft, disclosure of sensitive information, technological failure,
failed IT processes, and the human element – which encompasses
mistakes, negligence, internal theft, and many more associated risks.
In the event of a data breach, sensitive client data like Social Security
numbers and birth dates are more important than license plate
numbers.
Different organizations have different insurance needs depending
on the types of data they manage. Determining which risks they
are likely to face also depends on a number of variables – and at the
end of day, it’s largely unpredictable. Considering the types of data
handled by law firms and the boundaries imposed by attorney-client
privilege, law firms may find it more difficult than most businesses to
determine the large-scale effects of cyber risk.
Cyber liability insurance is notably different from other kinds of
insurance products (including general liability insurance that covers
technology errors and omissions) due to the complex definition of
cyber risk. General liability coverage is primarily for technology
product and service providers that store corporate data, whereas
cyber liability insurance is applicable for any organization susceptible
to data breaches, website media liability, and property loss due to
cybercrime. Many policyholders believe that cyber risk is another
component covered by their general liability policy, only to be
surprised when they are told otherwise in the wake of a breach.
The relative novelty of cyber insurance has caught a lot of firms and
organizations off guard, since cyber risk is now seen as a specialized
subset requiring a separate application process and specific coverage.
Mark Lanterman is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic
Crimes Taskforce, Lanterman has 28 years of security/forensic experience and has testified in over 2,000 trials.
He is a member of the MN Lawyers Professional Responsibility Board.
32
THE GAVEL