The following column appeared in the September 2012 issue of the Advisen Cyber Journal.
Lawyers typically fancy themselves as the smartest people in the room. Many certainly have the largest egos in the room. But when it comes to keeping their own houses in order? Well, not so much. Its akin the shoemaker whose children go barefoot.
The same flaw appears to apply with equal force and effect with respect to accountants. And consultants. And, perhaps most incredibly, insurance brokers.
Perhaps you've figured out where I'm going with this. But in case you haven't, here's what I'm getting at. Counter-intuitive as it may seem, anecdotal reporting from a number of underwriters I've spoken with suggest that intelligent, thoughtful, (sometimes) rational people who bill others hundreds of dollars an hour or make sizable commissions for dispensing professional advice do not abide by their own wisdom and don't buy cyber/technology/privacy ("CTP") insurance.
Yes, its true. And many of you reading this know it to be fact. Sadly, from your own personal experience. Does your law firm have a dedicated CTP policy? Does your insurance brokerage buy it? You counsel others to do so. You even sell it to them. But do you have it? The statistics from those with whom I have spoken (and I've spoken to over 10 markets) say no.
How can this be? Is it that lawyers think a breach won't happen to them? That certainly can't be it. Indeed, prominent law firms in the United States, Canada and London have experienced cyber breaches, in some cases purportedly victimized by the Chinese government; in others, "hactivists." What's even more surprising (and I never thought I would write these words, at least not in public), when it comes to cyber insurance, plaintiffs' lawyers in many cases are more enlightened than defense lawyers. According to my underwriters, plaintiffs' attorneys are more likely to buy cyber insurance than their defense counterparts. Go figure.
The fact that many large defense firms still do not insure for cyber risks is particularly surprising insofar as they typically store clients' sensitive corporate intelligence, proprietary intellectual property, personal information, and, in some cases, may qualify as "business associates" under HIPAA Nor is this a new concern, as the FBI issued public warnings as far back as 2009 of that hackers were using spear phishing e-mails with malicious payloads to exploit U.S. law firms and public relations firms. (Indeed, how many of us have received the "I am the King of Siam and can make you a billion dollars if you help me move my fortune by sending me $10,000" email? Apparently, the number is huge. Most incredibly, many attorneys have fallen prey to this "get rich quick" scam, then submitted claims to their E&O insurers. Seriously.). Yet, many law firms continue to disregard the myriad risks and exposures they face.
What about accountants and brokers? Is it possible that they don't think the information they obtain from clients isn't important enough, or of interest, to third-parties, be they hackers, hactivists, foreign governments or others? Of course not. Such professionals develop and store their clients' financial information, personal information, and, in some cases, health records. This is the very type of information that cyber insurance is designed to protect and cover in the event of a Wrongful Act, breach, loss or other covered event. And it's the precise target of bad guys looking to capitalize on other peoples' misfortunes.
Is it because the prices are too high? That's not a good answer either, as the market is saturated with insurers offering dedicated CTP insurance policies to professionals. At present, there are at least 26 cyber insurance purveyors, and that number is growing. I know of at least four companies looking to introduce new products, and I'm sure there are others I don't know about. Capacity drives pricing. And take my word for it from personal knowledge. CTP pricing for professionals is modest.
Then what can it be? From what I've seen and heard, it appears that, as often as not, professionals don't consider stand-alone CTP forms because they believe that they don't need it if they have professional liability policies. Some professionals have even been counseled by their own insurance advisors that it won't add anything to the first party property and third party E&O insurance they already have, so its not money well-spent.
Of course, any such illusion is a delusion. And a huge mistake. For several reasons.
First, clients' potential exposures may require their professional advisors to have cyber insurance. The SEC Guidance (discussed in a prior column) commands that public companies assess and disclose their cyber risks and exposures. Shouldn't the assessment include information and data outsourced to their consultants and advisors? Similarly, Massachusetts' privacy law and HIPAA may mandate companies to require their outside professionals to purchase some form of CTP insurance to protect the clients' protected information. It is not atypical for law firms to have to certify to clients that they have performed the requisite internal due diligence and obtained the requisite insurance coverage.
Second, it is wishful thinking to believe that standard insurance policies will insure again cyber and technology risks. Many property policies do not cover "intangible" property. And few, if any, provide the crisis management services needed in the event of a cyber-intrusion, breach or loss. For example, they certainly wouldn't cover the expenses relating to a computer forensic analysis, the preparation and mailing of breach notification letters, the maintenance of a call center, public relations, and credit monitoring. These crisis management exposures typically are the most costly in today's virtual environment. And the cost of CTP insurance certainly is minimal relative to their costs.
At the same time, it is questionable whether a third party policy would cover, or sufficiently cover, a claim by a client whose confidential/personal/health care information is lost or stolen. Why did the professional have such information? Is the professional's maintenance of confidential/personal/health care information on a computer server a professional service or is it an ordinary non-professional business activity outside the scope of professional liability coverage? It would be the professional's burden to establish that it maintained such information as part of its duties as a professional service provider. And even if the professional could meet this burden of proof, does it really want to see a third party cyber claim erode dedicated E&O policy limits, which then would not be available in the event of a serious professional negligence action?
Third, the cost of a CTP policy is de minimum relative to the coverages provided. In the case of law firms, a standard base form with $5 million in first and third party limits likely will cost well under $100,000, contingent, of course, on the scope and quality of a firm's security protections and systems, the size of the firm, and other underwriting criteria. We insure our homes, our cars, our personal exposures. Why on earth wouldn't we insure our CTP professional risks? At a minimum, all law firms should obtain quotes to evaluate the risk/benefit analysis.
And fourth, isn't it hypocritical to advise clients to have CTP insurance, yet not have it yourself? And heaven knows, none of us are hypocrites. Just ask our kids.
In short, whether it comes down to questions of blissful ignorance, penny-wise, pound foolishness, neglect or hypocrisy, many professionals are not buying much-needed CTP insurance. It should be a no-brainer. And after reading this column, I would hope you'd agree. For those of you who still don't, please give me a ring. I'd love to understand your thought-process, then direct you to a broker or underwriter who will further disabuse you of your misbelief.
Originally published on CyberInquirer.
www.cozen.comThe content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
