Cyber-insurance: An Added Layer of Security

Confidential client records and work product are the core of any law firm's work product. Most firms understand the necessity of archiving computer and paper files in a safe, off-site location. But what about the active files on a computer?

If they are compromised by a hacker, or otherwise threatened by criminal activity, how would it affect a firm's operation?

A recent survey of businesses and professional organizations, conducted jointly by the Federal Bureau of Investigation and the Computer Security Institute (www.gocsi.com), provides these chilling statistics:

• 90% of survey participants have suffered a computer security breach, with average losses running into the hundreds of thousands of dollars.
• The two biggest sources of financial loss from computer security breaches are viruses (accounting for 33% of the total) and unauthorized access (causing one-fourth of all computer security losses).
• Theft of proprietary information is the fastest rising cause of computer security financial loss, doubling from the year before in the most recent survey.

Liability Insurance

Most firms have some form of liability insurance to protect premises and their contents against losses from fire or other disasters. But computer security risks are fundamentally different ' and fundamentally unprotected by most policies.

Several years ago, Ernst & Young surveyed several thousand organizations about whether they had insurance coverage for losses related to computer security. More than 33% of respondents thought they had coverage through their general liability policies, but in fact did not. More than half either knew that they lacked coverage and had done nothing about it, or simply didn't know their coverage.

Ethical Responsibility

Such a head-in-the-sand attitude is, quite frankly, a violation of a lawyer's professional ethics. Failure to reasonably anticipate and be prepared to service clients in the wake of a disaster is arguably a failure in the overall duty to act competently or in the best interests of a client.

There is a first-party side (affecting your firm directly) and a third-party side (affecting your clients) to this. A variety of first-party computer security disasters can lead to loss, such as a breach of security and unauthorized access to your systems that damage your data or vandalizes your Web site, rendering you inoperable that day. This latter scenario may also lead to a third-party loss to those clients whose reliance on your system is key to their livelihood ' a perfect example would be clients who depend on being served through an extranet. All of these situations would impact your firm financially and are considered first-party losses.

When a third party is injured or harmed and your firm is responsible, a third-party lawsuit will likely be filed against you. This can include such exposures as identity theft or the invasion of your clients' privacy. Another area of exposure is Web site content and the infringement of a third-party's intellectual property.

A hacker could access your system, grab your e-mail database and client mailing list and use your system to send out damaging malicious code, such as a computer virus or worm.

Alternatives

Many insurers do not provide specialized coverage for these unique exposures, or will try to take a band-aid approach by providing endorsements to traditional policies, such as property, fidelity and professional liability insurance.

The only really effective way to ensure that your firm and clients will not suffer loss through a computer disaster is cyber-insurance ' a specialized form of computer insurance coverage that insurance organizations such as American International Group, Chubb and Lloyd's of London have offered since the late 1990s.

An effective cyber-insurance policy can handle the first-party and third-party liabilities that your firm faces in a computer security disaster. These are typical kinds of coverage that are available:

' First-party business interruption. Covers revenue lost during
system downtime caused by accidents and security breaches. Losses during catastrophic regional power outages are typically excluded, but that's little different from standard exclusions for floods or other 'acts of God;'

' First-party electronic data damage. Covers recovery costs associated with compromised data, such as virus infections;

' First-party extortion. Covers ransom demands of hackers who claim to control systems or data and threaten to do serious harm;

' Third-party network security liability. Covers losses associated with the compromise and misuse of data for such purposes as identity theft and credit card fraud;

' Third-party (downstream) network liability. Covers judgments from lawsuits initiated by those harmed by denial-of-service attacks and viruses sent out over your system; and

' Third-party media liability. Covers infringement and liability costs associated with Internet publishing, including Web sites, e-mail and other interactive online communication.

Purchase Options

Cyber-insurance usually costs more than conventional liability or business interruption insurance. Unlike traditional insurance policies, cyber-insurance has no standard scoring system or actuarial tables for pricing premiums. Each insurance company has its own way of grading customers, with methods varying according to the type of insurance. Before insurers will provide a policy quote, they usually require potential cyber-insurance purchasers to fill out a questionnaire detailing the steps they've already taken to ensure computer security ' firewalls, laptop computer encryption, antivirus protection and similar common-sense steps that all firms should take.

If you are interested in cyber-insurance, you should first review your current coverage. Are you spending too much on the traditional plans, such as property and errors and omissions, when more of your firm's worth resides in unprotected data? If so, you need to understand not only what your data is worth to you, but how your systems affect your firm's bottom line. You should attempt to quantify how much you could lose from a computer disaster. Insurance costs money, so calculate the income loss so you can make better-informed decisions. Ultimately, the greatest loss may be in client confidence and resulting disciplinary action.

Confidential client records and work product are the core of any law firm's work product. Most firms understand the necessity of archiving computer and paper files in a safe, off-site location. But what about the active files on a computer?

If they are compromised by a hacker, or otherwise threatened by criminal activity, how would it affect a firm's operation?

A recent survey of businesses and professional organizations, conducted jointly by the Federal Bureau of Investigation and the Computer Security Institute (www.gocsi.com), provides these chilling statistics:

• 90% of survey participants have suffered a computer security breach, with average losses running into the hundreds of thousands of dollars.
• The two biggest sources of financial loss from computer security breaches are viruses (accounting for 33% of the total) and unauthorized access (causing one-fourth of all computer security losses).
• Theft of proprietary information is the fastest rising cause of computer security financial loss, doubling from the year before in the most recent survey.

Liability Insurance

Most firms have some form of liability insurance to protect premises and their contents against losses from fire or other disasters. But computer security risks are fundamentally different ' and fundamentally unprotected by most policies.

Several years ago, Ernst & Young surveyed several thousand organizations about whether they had insurance coverage for losses related to computer security. More than 33% of respondents thought they had coverage through their general liability policies, but in fact did not. More than half either knew that they lacked coverage and had done nothing about it, or simply didn't know their coverage.

Ethical Responsibility

Such a head-in-the-sand attitude is, quite frankly, a violation of a lawyer's professional ethics. Failure to reasonably anticipate and be prepared to service clients in the wake of a disaster is arguably a failure in the overall duty to act competently or in the best interests of a client.

There is a first-party side (affecting your firm directly) and a third-party side (affecting your clients) to this. A variety of first-party computer security disasters can lead to loss, such as a breach of security and unauthorized access to your systems that damage your data or vandalizes your Web site, rendering you inoperable that day. This latter scenario may also lead to a third-party loss to those clients whose reliance on your system is key to their livelihood ' a perfect example would be clients who depend on being served through an extranet. All of these situations would impact your firm financially and are considered first-party losses.

When a third party is injured or harmed and your firm is responsible, a third-party lawsuit will likely be filed against you. This can include such exposures as identity theft or the invasion of your clients' privacy. Another area of exposure is Web site content and the infringement of a third-party's intellectual property.

A hacker could access your system, grab your e-mail database and client mailing list and use your system to send out damaging malicious code, such as a computer virus or worm.

Alternatives

Many insurers do not provide specialized coverage for these unique exposures, or will try to take a band-aid approach by providing endorsements to traditional policies, such as property, fidelity and professional liability insurance.

The only really effective way to ensure that your firm and clients will not suffer loss through a computer disaster is cyber-insurance ' a specialized form of computer insurance coverage that insurance organizations such as American International Group, Chubb and Lloyd's of London have offered since the late 1990s.

An effective cyber-insurance policy can handle the first-party and third-party liabilities that your firm faces in a computer security disaster. These are typical kinds of coverage that are available:

' First-party business interruption. Covers revenue lost during
system downtime caused by accidents and security breaches. Losses during catastrophic regional power outages are typically excluded, but that's little different from standard exclusions for floods or other 'acts of God;'

' First-party electronic data damage. Covers recovery costs associated with compromised data, such as virus infections;

' First-party extortion. Covers ransom demands of hackers who claim to control systems or data and threaten to do serious harm;

' Third-party network security liability. Covers losses associated with the compromise and misuse of data for such purposes as identity theft and credit card fraud;

' Third-party (downstream) network liability. Covers judgments from lawsuits initiated by those harmed by denial-of-service attacks and viruses sent out over your system; and

' Third-party media liability. Covers infringement and liability costs associated with Internet publishing, including Web sites, e-mail and other interactive online communication.

Purchase Options

Cyber-insurance usually costs more than conventional liability or business interruption insurance. Unlike traditional insurance policies, cyber-insurance has no standard scoring system or actuarial tables for pricing premiums. Each insurance company has its own way of grading customers, with methods varying according to the type of insurance. Before insurers will provide a policy quote, they usually require potential cyber-insurance purchasers to fill out a questionnaire detailing the steps they've already taken to ensure computer security ' firewalls, laptop computer encryption, antivirus protection and similar common-sense steps that all firms should take.

If you are interested in cyber-insurance, you should first review your current coverage. Are you spending too much on the traditional plans, such as property and errors and omissions, when more of your firm's worth resides in unprotected data? If so, you need to understand not only what your data is worth to you, but how your systems affect your firm's bottom line. You should attempt to quantify how much you could lose from a computer disaster. Insurance costs money, so calculate the income loss so you can make better-informed decisions. Ultimately, the greatest loss may be in client confidence and resulting disciplinary action.