My guest at this eye-opener of a webinar was Brad Barkin, vice president of law and accounting practice for Embroker, a commercial insurance company that provides cyber insurance (and other types of coverage) at attractive prices without the hassle.
Three big takeaways from the BobaGuard webinar on cyber insurance:
- Cyber insurance is law-practice business protection you cannot do without these days.
- The reason you can’t do without it is that the malpractice and general business insurance you’re currently carrying are unlikely to adequately protect you in the aftermath of a successful data breach, ransomware attack, or social engineering scam.
- And, unless you’re a glutton for punishment, you should, if possible, avoid dealing with cyber-insurance providers that require you to fill out a long (rather than a short) application form because the longer it is, the more complex and frustrating the task of completing it becomes. The more frustrating it is, the more inclined you’ll be to give up in despair and walk away without the protection you seek.
Brad started the webinar—titled “Cyber Insurance for Your Law Firm: What You Need to Know”—by citing some scary statistics. For example, the average cyber-insurance claim payout for a small law firm is $85,000 and about $631,000 for a big one, numbers that suggest cybercriminals can potentially cause a lot of financial damage to a firm through their malicious acts.
The top two forms of cybercrime that law firms can expect to be the targets of these days are ransomware attacks, followed by social-engineering scams.
A ransomware attack is where your computers or IT network become infected with a virus that either renders your data files inaccessible or your entire system unusable until you agree to meet the cash demands of whoever it was that did the infecting. If you have good cyber insurance, the provider will pay this ransom for you (Brad said insurers usually find it cheaper to cough up the dough than to hire white-hat tech specialists to try purging the virus).
As for social-engineering scams, situations where you (or someone under your direct supervision) are tricked into either divulging confidential login credentials or diverting funds to an account controlled by the trickster. Cyberthieves position themselves to be able to pull off these scams by secretly monitoring your online conversations and activities. Once they gather enough information, they can convincingly pretend to be an existing client or a trusted colleague.
Ideal Cyber-Insurance Policy
Brad then talked about cyber insurance policies. He said an ideal one should offer the following coverages:
- Privacy and network security. This protects against losses caused by a privacy breach, theft of digital assets, a network attack, and transmitting a virus from your computers to somebody else’s.
- Forensics. After cybercriminals strike, you’ll need to bring in a specialist to figure out how the rotten deed was pulled off so that the right countermeasures can be implemented. A good cyber-insurance plan covers this cost.
- Telecommunication fraud. This protects you against social-engineering schemes.
- Cyber extortion. This pertains to Ransomware attacks.
- Invoice fraud. If you discover a client contacted by cyber thieves pretending to be you sent an awaited payment to an account that isn’t yours, the insurer will make it up to you.
- Business interruption. A successful cyberattack can, for a time afterward, make it difficult or impossible to get any work done; business interruption protection softens the blow to your cash flow during that period.
- Fines and penalties. Your state bar and other entities with disciplinary power can levy economic sanctions against you if they determine you failed to take reasonable steps to safeguard client data and funds entrusted to you. Still, with this coverage, those punishments are unlikely to prove crippling.
Brad then dropped a bombshell by contending that what law firms think is cyber protection often turns out to be nothing of the sort and that the policy they’re holding is of little or no help. For example, many law firms mistakenly believe full cybercrime protection exists as part of their malpractice and general business operations policies.
Tips for Purchasing Thorough Coverage
The best way to lock in solid cyber-insurance coverage is to ask the provider you’re talking to if they’ve got a short application form for you to fill out. If the answer is no, keep shopping around for an insurer that does. The reason is that the long form is a serious challenge.
So why do they want you to do the long version? Many insurers who prefer not to cover you for the growing problem of cybercrime use the long application as a polite means of discouraging you from becoming a customer.
When shopping for cyber insurance, Brad cautioned to be on the lookout for policies that submit certain items. For instance, you might be offered a $1 million cyber-protection policy—sounds great, but contained within it is a sublimit on social-engineering scams that caps your payout for this particular crime at perhaps no more than $100,000, which is but a tenth of what you think your umbrella’s size is.
Another sublimit some companies like to insert compensates you for only the stolen money that belonged to you, not to your client, he added.
Consequently, it’s crucial that you ask probing questions before signing on the dotted line to know exactly what your cyber-protection policy will cover and how much good it’s actually going to do for you when the day comes that you need to file a claim (which is probably going to be sooner rather than later if the trends outlined keep moving in the wrong direction).