Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Law Firms: A “Fully Radioactive Form of Risk”

June 28, 2022

Yes, I am back to talking about cyberinsurance again which has become an all-consuming nightmare for law firms. But this time, the perspective is Canadian – and yet, it mirrors everything happening to law firms in the U.S.

Insurance Business Canada reported on June 23 the extent of the strain on the cyberinsurance market in Canada. As in the U.S., the rise in ransomware claims and the lack of security controls in law firms has caused huge rate increases, reduced coverage and demands for enhanced cybersecurity.

At the end of 2020, cyberinsurance loss ratios were up to 400%, which means that for every $1 taken in, insurers were paying out $4. Clearly that is not sustainable.

Patrick Bourk, principal and national cyber practice leader at HUB International Ontario notes, “What we [brokers] end up doing is remarketing a lot of accounts.”

Bourk works with a lot of law firms, which he describes as a “fully radioactive class of risk” that few cyberinsurance companies want to underwrite.

“Law firms have this treasure trove of information. Statistically, they’re about six times more likely to pay the first ransom demanded, rather than negotiate it – which is quite ironic,” he said. “So, I go and speak to these smaller law firms who have been buying cyber insurance for a number of years (because they’ve realized it’s not a professional liability exposure; it’s a data exposure) and I have to tell them, months in advance of their renewal, that their premium is going to shoot up.”

“I had one law firm client whose premium went from about $4,000 to $36,000. So, I remarketed the account, which led to all of these questions coming back from different insurers about cyber security controls. So, that client had to very quickly work with IT security firms and managed services security providers to get their house in order as quickly as possible and become a more attractive risk. And that’s a challenge too, because a lot of times, you can’t do that very quickly.”

Bourk notes the problems that law firms face: “Then you’ve got the office manager of these smaller boutique law firms trying to balance: ‘If I hire somebody to help me with pre-breach preparedness, or if I buy all of these security tools like endpoint detection and response or a privileged access management system, that’s going to cost me $30,000 too. So, what should I do now? Do I need the insurance piece?’ And they have to grapple with all that in a pretty short, condensed timeframe,” Bourk said.

In the case of the client who had a $4,000 to $36,000 rate increase, Bourk found an insurer who acknowledged the law firm’s cybersecurity enhancements efforts and its risk mitigation – even though they weren’t fully implemented by the time they needed the policy – and their final premium was increased to just $9,000.

“My team at HUB does a lot of larger, complex risk placements – and for those firms, we have to say: ‘You can start from the premise that your deductible is going to go up twice, your premium’s going to go up by 100%, and you’re going to get half the limit you had before,’” Bourk explained.

It is no different in the U.S. Law firms are struggling to get quality cyberinsurance at a reasonable price. What we have learned is that it is all about the broker. If your broker is not proactive about working with your firm to educate you about the new expectations from carriers and constantly updating you about the changes in cyberinsurance, you’ve got the wrong broker. If the broker isn’t giving you multiple options and constantly scouring the ever-changing marketplace for the best coverage at the best pricing, you’ve got the wrong broker.

A law firm’s best option, if it is unhappy with its cyberinsurance and its broker, might be to ask other law firm leaders for the names of insurance brokers they would recommend.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology