Changes to the SafeLaw Program

Download Application

Please Note: The following summary provides a high-level overview of the changes to the SafeLaw program, which are effective for all new business accounts and renewals as of 01/01/2021..

  1. Capacity – The limits of insurance available for each policyholder has been reduced from $10,000,000 to $5,000,000. In the past, full limits of insurance were included for all insuring agreements. Full limits of insurance are still included for all the core insuring agreements, with sublimits of $50,000 for two of the new coverages including: (1) Employee Laptop and Device Replacement; and (2) Employee Identity Recovery
  2. Rates The base rates for the SafeLaw program have been increased for 2021. The increase ranges from 9% – 15% depending on the firms number of lawyers and annual revenue. However, the rate increase may be partially offset by: (1) new credits for underlying LPL insurance; (2) reduction in the deductible buy-down percentages; and (3) amended increased limit factors for firms that purchase more than $1,000,000 limits of insurance.
  3. UnderwritingThe application has been amended as follows: 
    1. Question 3 has been amended to include insured’s LPL insurer and policy including policy number. In addition, the request for the insured’s LPL premium has been deleted. 
    2. Questions 4 – 13 are new for 2021. They are focused on information security and ransomware. We attempted to keep the questions limited to just the baseline controls, so it’s important the questions can be answered affirmatively. Should you have any issues with the questions, please feel free to contact us for help. 
  4. Policy and Endorsements
    1. Difference In Conditions Wrap Coverage: The wrap language has been moved from the “insuring agreements” section of the policy to the “other insurance” section of the policy. The language has been simplified and provides additional clarity around primary and excess coverage application. In addition, specific language has been inserted for situations involving recognition of deductible erosion and situations where SafeLaw provides deductible infill of the insured’s LPL policy.  Lastly, there is now an option to remove the wrap language for firms that do not carry LPL insurance.  
    2. Incident Response Coverage: The incident response insuring agreement has been changed from a “reimbursement” structure to a “pay on behalf of” insuring agreement. The triggering events for the incident response coverage now includes any data breach, computer system disruption, data loss, cyber theft, or cyber extortion and ransomware threat otherwise covered by the policy, whereas last year the incident response coverage could only be triggered by a data breach. Lastly, the scope of the incident response expense coverage now includes reward payments for information that leads to the arrest and conviction of anyone committing any illegal act related to any coverage under the policy.
    3. Confidentiality, Privacy & Cyber Liability: The core cyber liability insuring agreement in SafeLaw was previously called “Confidentiality, Privacy, and Media Liability Coverage” and it has now been changed to Confidentiality, Privacy, and Cyber Liability”. We made this change because we moved the media liability coverage into a separate insuring agreement part, at the request of our broker partners (please see point IV.D directly below). In addition, the confidentiality, privacy, and cyber liability coverage has been amended as follows: 
      1. Privacy coverage now specifically addresses privacy losses not caused by a data breach, such as the insureds failure to properly inform individuals of the collection of, give access to, rectify errors or inaccuracies in, dispose of, or restrict processing of personally identifiable nonpublic information.  
      2. Contractual liability coverage has been expanded to specifically include a breach of a merchant credit card services agreement due to noncompliance with published PCI-DSS caused by a data breach; 
      3. Specified coverage has been added for emotional distress; 
      4. The firm’s directors and officers are now covered for errors or omissions committed in the. discharge of their duties, which results in a covered wrongful act. 
    4. Multimedia Liability: The media liability coverage has been removed from the Confidentiality, Privacy, and Cyber liability insuring agreement and placed into a separate insuring agreement titled Multimedia liability. In addition, our broker partners requested that we formally provide “offline” media coverage and include specified covered activities leading up to the actual publication of material. As such, two new supporting definitions have been added, which are as follows:
      1. Media Activities: defines the scope of covered media activities, including pre-publication activities such as gathering, collection, creation, and preparation as well as publication activities such as printing, production, publication, release, display, research, or serialization. 
      2. Media Material: defines the types of covered publication including online and offline publications such as written, printed, video, electronic, digital, or digitized communication. 
    5. Electronic Data Restoration // Business Income and Extra Expense: The coverage for electronic data restoration, business interruption, extended business interruption, dependent business interruption, and extra expense rely on the definition of Covered Cause of Loss” for coverage triggers. The definition of “Covered Cause of Loss” has been updated with expanded coverage triggers including voluntary shutdowns of the insured’s computer system as well as broader system failure coverage. 
    6. Cyber Theft and Social Engineering: This coverage has been restructured to 3 distinct coverage components including (1) social engineering; (2) theft from the insured’s accounts; and (3) theft committed through fraudulent use of the insured’s computer system. The social engineering coverage has a new “out of band authenticationrestriction, which requires the insured to first verify any new or changed transfer or payment instructions with the intended recipient using a communication method other than the method of communication(s) used to request the funds, prior to transferring the funds. This requirement can be deleted by endorsement, which is available for an additional premium upon completion of a supplemental application. Lastly, the coverage for theft committed through fraudulent use of the insured’s computer system now provides specified coverage for theft of service as well as coverage for fraudulent inducement of the insured’s vendors or clients to transfer money or delivery property to a third party under false pretenses. 
    7. The following coverages have been added to the insuring agreements section:
      1. Reputational Injury: Adds coverage for loss of income and brand damage mitigation expense following a reputational injury event.
      2. Employee Identity Recovery: Adds coverage for identity recovery expense including credit monitoring, credit repair, and out of pocket expense suffered by the firm’s employees following an identity theft event.
      3. Laptop and Device Replacement: Adds coverage for physical damage to or theft of laptops and portable devices caused by the malicious acts of a third party. 
    8. Definitions – The following coverage components have been amended through additions to or changes of the policy definitions: 
      1. Additional Insured: Coverage for additional insureds is now specified in the policy with a new definition of Additional Insured
      2. Claim: The definition of Claim now provides the insured with the option of notifying the insurer of circumstances that could lead to a claim when the insured becomes aware of an informal regulatory inquiry or investigation.
      3. Damages: The definition of “Damages has been amended to include plaintiff attorneys fees when they are part of a settlement, judgement, or award. 
      4. Extortion Loss // Extortion Expense: The definition in the old SafeLaw policy had a single definition of Cyber Extortion and Ransomware Expense. This has now been split into 2 separate definitions in the new policy, which are Extortion Loss and also Extortion Expense. This change to requires SafeLaw policyholders to notify the insurer and receive consent before making a ransom payment, while still allowing SafeLaw policyholders to incur extortion expense to investigate and mitigate an extortion threat without delay when notifying the insurer is impractical. 
      5. Insured’s Computer System: The definition of the “Your Computer System” has been changed to “Insured’s Computer System” and the language now formally addresses computer hardware and software used in work at home arrangements. Also, the definition expands the scope of coverage to include cloud-based audio and video conferencing activities.
      6. Subsidiaries: The definition of Subsidiary now addresses subsidiaries that are not wholly owned by the named insured. 
    9. Exclusions – The following exclusions have been amended, added, or deleted to address specific coverages:
      1. The bodily injury and property damage exclusions are now a single exclusion with a carveout for contingent bodily injury and property damage. In the past, this carveout was offered by endorsement only and generated an additional premium. Now it is included in the policy at no additional premium.
      2. The war and terrorism exclusion has been updated to reflect the requests of our brokerage partners. The concept of kinetic warfare is still included, but now cyber terrorism is specifically excepted from the exclusion.
      3. The workplace practices exclusion has been amended to exclude Biometric Information Privacy Act claims brought against employers by employees and contractors, which do not arise out of unauthorized access.
      4. The latent defect/time delayed damage exclusion has been deleted.
      5. The wear and tear exclusion has been deleted.
      6. The exclusion for physical perils including fire, smoke, explosion, lightning, wind, water, flood, earthquake, volcanic eruption, landslide, and hail has been deleted. 
    10. General Conditions – The following general conditions have been added or amended.
      1. Claims Avoidance: A claims avoidance coverage extension has been added.
      2. Claims Reporting: Cyber extortion and ransomware threats must now be reported to the insurer immediately and the insured must not incur extortion loss without the prior written approval of the insurer
      3. Other Insurance: The difference in conditions wrap language was previously contained in the insuring agreements section of the old SafeLaw policy. It’s been moved to the other insurance section of the policy at the request of our brokers and clients for clarification purposes.
      4. Allocation: An allocation clause has been added to the policy
      5. Representation and Innocent Insured: Representations language as well as an Innocent Insured provision has been added into the General Conditions section.
      6. Your Duties: The Your Duties section in the old SafeLaw policy has been renamed as Duties of all Insureds. This section has also been amended to remove the list of specific information security requirements, which has been replaced with softer language that requires the insured to make reasonable efforts to maintain controls similar to the controls disclosed in the application. In addition, new language was added to this section that requires the insured to notify the insurer immediately of any cyber extortion and ransomware threat. 
    11. Two new Endorsements are available for 2021 including:
      1. Delete Difference in Conditions Wrap: Law firms that do not purchase lawyers professional liability insurance, now have an option to remove the difference in conditions wrap coverage. The Delete Difference In Conditions Wrap endorsement this removes the difference in conditions language as well as the deductible infill and recognition of deductible erosion language from the SafeLaw policy. With this endorsement, the policy will function as a primary, standalone cyber insurance policy.
      2. Delete Crime Controls:  This endorsement removes the out of band authentication requirement from the Cyber Theft and Social Engineering coverage. It is available for a small additional premium upon completion of the Delete Crime Controls Application Supplement.

Important: The summary of changes outlined above is a general overview of updates to the SafeLaw program and policy for 2021 and is provided for illustrative purposes only. It is not a complete list of changes to the program and policy and does not provide any interpretation of coverages, definitions, exclusions, or conditions. As always, various provisions and exclusions in the SafeLaw policy restrict coverage. Please read the policy carefully to determine the extent of coverage.