Imagine showing up to your office in the morning to find someone had broken into it. It is pretty clear what you would do – call your property insurer and file a claim. Most firms have this coverage, so you will likely be up and running in no time. Now let’s assume that you have come to the office to find a different kind of theft. Someone has hacked into your system and stolen either sensitive client data or money out of a trust account belonging to a client. Now what do you do? The answer may not be so clear.
Your professional liability policy does not cover these types of first-party losses. Many law firms might hope this is covered under their E&O policy, but any way you look at it, this is a crime loss and is not covered. Lawyers Mutual, being concerned about the rising risk of cyber-crimes, continues to look into the possibility of adding cyber coverage to your professional policy. However, we’ve found that this type of coverage (those “endorsed onto” a policy) is generally very limited in amount.
A recent study shows that “nearly 60% of small businesses will shutter within half a year after being victimized by cybercrime.” (Cited by the U.S. Small Business Subcommittee on Health and Technology.) The study also noted that 20% of all cyber attacks were against small businesses with 250 or fewer employees. A common misconception is that only large businesses are targets for cyber-crime.
The North Carolina State Bar is one of the first to offer a formal ethics opinion related to this matter. If you haven’t read the 2011 Formal Ethics Opinion 6, you should. It is apparent that the NC State Bar recognizes the risks that are out there – “The opinion does not set forth specific security requirements because mandatory security measures would create a false sense of security in an environment where the risks are continually changing.”
What are your options? There are a few ways to cover this exposure. You can sometimes add a limited amount of cyber liability to your property policy. This will be a relatively low limit of coverage (up to $250,000 for example), and will cover some basic items such as notification expenses and defense for a lawsuit brought by your clients.
The most comprehensive way to protect yourself is to purchase a separate Cyber Policy. This will cover the items mentioned above, but also adds coverage for computer and funds transfer fraud (think money being stolen from a client’s trust account) and regulatory fines. Some of these coverages, such as computer fraud, can also be covered on a conventional crime insurance policy.
How much coverage is enough? This is a tough question to answer. There are many studies out there, but most put the cost at $200 or more per compromised record. If you multiply that by the number of client’s (past and present), the total amount can be staggering. Additionally, you should consider ensuring that there is enough coverage to protect your clients’ funds that you are responsible for in your trust account, so if something does happen, you do not have to personally make up the shortfall.
How much does it cost? Cost varies due to many factors, such as the revenue for your firm, the types of information you keep stored electronically and the controls you have in place. That being said, here are some points of reference to give you an idea. For a small firm just wanting the basic coverage for notification expenses and a lower limit, the annual premiums will typically start in the $150 - $200 range. For a firm wanting the most comprehensive product, with higher limits ($500,000 - $1,000,000), premiums typically start around $1,000.
All that aside, with the rising risk of cyber attacks, can you afford not to purchase coverage?
Adam Pierce, AAI, is the Director of P&C Operations at Lawyers Insurance Agency. For more information, contact Adam at 800.662.8843 or firstname.lastname@example.org