Lawyers Cyber Risk Coverage Highlights
DOWNLOAD THE APPLICATION“Please Note: The coverage summary below is a general description of coverage provided for illustrative purposes only. Various provisions in the SafeLaw policy restrict coverage. Please read the policy carefully to determine the extent of coverage and refer any questions to your broker.”
Coverage Summary
SafeLaw coverage offers dedicated cyber risk protection created for the unique cyber risks of law firms. The SafeLaw policy was designed to fill gaps in Lawyers Professional Liability insurance and protect law firms from first-party and third-party cyber risk losses including:
- Data Breach Response Expense: A) Coverage for remediation costs the firm incurs following a data breach involving confidential information or personally identifiable information. Covered expenses include the following:
- Incident Advisor(s): Costs to hire legal advisors to establish attorney-client privilege, retain a forensic expert, and coordinate the forensic services as well as advise on the applicability and actions necessary to comply with the firm’s ethical, professional and regulatory requirements.
- Technical Forensics: Costs to conduct an independent security audit and forensics to identify the source and scope of the data breach;
- Public Relations Expense: Costs to hire a public relations firm to avert or mitigate damage to the firm’s reputation;
- Notification: Cost to notify individuals or organizations of a data breach involving confidential information or personally identifiable information;
- Identity Theft Assistance: cost to provide credit monitoring service, identity theft assistance, a help line, identity restoration service, and identity theft insurance to individuals and organizations impacted by a data breach; and
- Call Center: Cost to establish a crisis communication call center to communicate with victims of a data breach.
SafeLaw includes coverage for the remediation costs the firm is legally obligated to pay for and the remediation costs the firm voluntarily elects to incur to mitigate damage to the firms reputation.
- Electronic Data Restoration: Covers the cost of forensics, loss mitigation and expenses to recreate or restore the firm’s data, software, or firmware, that is corrupted, lost or damaged due to:
- hacker attacks, denial of service attacks, computer viruses, or ransomware;
- programming errors, data creation errors, entry errors, or modification errors; or
- electrostatic build-up and static electricity; and
- errors or omissions resulting in physical damage to the firms electronic storage media;
- Business Interruption and Extra Expense: Covers the cost of forensics, loss mitigation expense, loss of income, and extra expense incurred by the firm due to a total or partial interruption of the firm’s computer system, which is caused by:
- hacker attacks, denial of service attacks, computer viruses, or ransomware
- programming errors, data creation errors, entry errors, or modification errors; or
- electrostatic build-up and static electricity; and
- errors or omissions resulting in physical damage to the firms electronic storage media;
- CyberCrime (Fraud) and Social Engineering: Covers the firm for financial loss due to:
- fraudulent funds transfers from the firm’s bank or securities accounts or a client’s bank or securities accounts for which the firm is an authorized custodian as of a result of social engineering; and
- fraudulent use of the firm’s computer system to steal the firm’s money, securities or other property.
- Extortion and Ransomware: Covers extortion monies and the firm’s expenses to mitigate or terminate cyber extortion threats including:
- ransomware threats;
- threats to disclose confidential or private information;
- threats to direct a denial of service attack (“DDOS”) at the firm’s computer system;
- threats to hack or implant a virus in the firm’s computer system’ and
- threats to delete, destroy or damage the insured’s electronic data.
Remove after finishing formating. Just to remind me of code to use.
- Electronic Data Restoration: Covers the cost of forensics, loss mitigation and expenses to recreate or restore the firm’s data, software, or firmware, that is corrupted, lost or damaged due to:
- hacker attacks, denial of service attacks, computer viruses, or ransomware;
- programming errors, data creation errors, entry errors, or modification errors; or
- electrostatic build-up and static electricity; and
- errors or omissions resulting in physical damage to the firms electronic storage media;
The Safelaw Cyber Liability product was specifically made for attorneys and their special needs compared to other businesses. Below you will see a comparison of our product versus our competitors and why this is better for your lawfirm or your clients.
GENERAL POLICY FEATURES
Applicable to entire policy
| Safelaw Coverage Features | Competitors Cyber Risk Policies | Benefits |
|---|---|---|
| Coverage structured exclusively for Law Firm cyber exposures | no | SafeLaw coverage is designed for the business activities and cyber risks of law firms. Everything from sensitive client legal information to loss of billable hours to specialized regulatory risks associated with law firm cyber perils is contemplated. |
| Difference in Conditions Wraparound Policy Structure | No | SafeLaw coverage is dovetailed with the LPL policy to eliminate the gaps and coverage conflicts that usually exist. Where the LPL policy provides no coverage SafeLaw provides primary coverage. Where the LPL provides partial coverage SafeLaw covers the uncovered portion of the claim and were the LPL provides full coverage SafeLaw provides excess coverage with no deductible. We are currently the only program to provide such coverage to law firms. |
| Deductible Infill/Erosion | Yes | SafeLaw recognizes erosion for amounts paid under LPL and can infill LPL deductible in some cases. |
| Single Blanket Deductible | Possibly – However, many cyber risk insurers apply multiple deductibles. | A single deductible applies to losses no matter how many coverage sections are triggered |
| Broad definition of Insured drafted for law firms | No – competitors policies use standard corporate definitions | The SafeLaw definition of Insured mirrors the language used in lawyers professional liability polices. The way we define insured avoids the typical pitfalls and limitations of the corporate structure limitations. |
| Knowledge standards limited to a control group | Possibly – Some of the better cyber risk insurers provide control groups. However, we are the only cyber risk provider to use law firm specific control group wording. | The typical policy requirements imposed when a member of the company has knowledge of a cyber-incident is limited to when a member of a small control group has knowledge. The language also provides coverage for malicious acts of employees. |
| Safelaw Coverage Features | Competitors Cyber Risk Policies | Benefits |
|---|---|---|
| Coverage structured exclusively for Law Firm cyber exposures | no | SafeLaw coverage is designed for the business activities and cyber risks of law firms. Everything from sensitive client legal information to loss of billable hours to specialized regulatory risks associated with law firm cyber perils is contemplated. |
| Difference in Conditions Wraparound Policy Structure | No | SafeLaw coverage is dovetailed with the LPL policy to eliminate the gaps and coverage conflicts that usually exist. Where the LPL policy provides no coverage SafeLaw provides primary coverage. Where the LPL provides partial coverage SafeLaw covers the uncovered portion of the claim and were the LPL provides full coverage SafeLaw provides excess coverage with no deductible. We are currently the only program to provide such coverage to law firms. |
| Deductible Infill/Erosion | Yes | SafeLaw recognizes erosion for amounts paid under LPL and can infill LPL deductible in some cases. |
| Single Blanket Deductible | Possibly – However, many cyber risk insurers apply multiple deductibles. | A single deductible applies to losses no matter how many coverage sections are triggered |
| Broad definition of Insured drafted for law firms | No – competitors policies use standard corporate definitions | The SafeLaw definition of Insured mirrors the language used in lawyers professional liability polices. The way we define insured avoids the typical pitfalls and limitations of the corporate structure limitations. |
| Knowledge standards limited to a control group | Possibly – Some of the better cyber risk insurers provide control groups. However, we are the only cyber risk provider to use law firm specific control group wording. | The typical policy requirements imposed when a member of the company has knowledge of a cyber-incident is limited to when a member of a small control group has knowledge. The language also provides coverage for malicious acts of employees. |
FIRST PARTY PROPERTY COVERAGE FEATURES
Applicable to electronic property, loss of income and crisis response coverage sections.
| SafeLaw Coverage Feature | Competitors Cyber Risk Policies | Benefit |
|---|---|---|
| Tailored coverage for accidental damage. | No | The covered perils include some types of physical damage resulting in data loss, which is not usually covered by property policies purchased by law firms. This approach helps eliminate potential gaps between policies. |
| Outsourced systems covered | Possibly – Usually very limited | SafeLaw gives coverage for electronic property damage and loss of income are covered anywhere. |
| Contingent business income | Rarely – Sometimes available by endorsement | Contingent business interruption is standard in SafeLaw |
| Coverage for billing system interruption and loss of billable hours | No | Many of the usual business income revenue recognition requirements that impair a law firms ability to recover business income losses don’t apply. The coverage is structured around a loss of billable hours when a loss occurs |
| Expanded Incident response services | No | SafeLaw’s incident response coverage includes remediation expenses associated with disclosures of any of your firms data such as data subject to confidentiality restrictions or attorney client privilege. Most cyber risk insurers only provide incident response coverage for personally identifiable information to remediate identity theft. |
| Proof of loss expenses are covered | Possibly – some competitors provide small sub limits of coverage and others provide none. | The cost of proving a loss can be hundreds of thousands of dollars in some cases. SafeLaw provides coverage for proving a loss including technical forensics and forensic accounting and there are no sub limits. |
| No War or Terrorism or Exclusions | No – Other cyber risk policies have war and/or terrorism exclusions. We are currently the only provider offering coverage without a war or terrorism exclusion. | Many cyber attacks are classified as terrorist acts, so most polices impose significant limitations on coverage by having a terrorism exclusion. SafeLaw has no terrorism Exclusion. |
| SafeLaw Coverage Feature | Competitors Cyber Risk Policies | Benefit |
|---|---|---|
| Tailored coverage for accidental damage. | No | The covered perils include some types of physical damage resulting in data loss, which is not usually covered by property policies purchased by law firms. This approach helps eliminate potential gaps between policies. |
| Outsourced systems covered | Possibly – Usually very limited | SafeLaw gives coverage for electronic property damage and loss of income are covered anywhere. |
| Contingent business income | Rarely – Sometimes available by endorsement | Contingent business interruption is standard in SafeLaw |
| Coverage for billing system interruption and loss of billable hours | No | Many of the usual business income revenue recognition requirements that impair a law firms ability to recover business income losses don’t apply. The coverage is structured around a loss of billable hours when a loss occurs |
| Expanded Incident response services | No | SafeLaw’s incident response coverage includes remediation expenses associated with disclosures of any of your firms data such as data subject to confidentiality restrictions or attorney client privilege. Most cyber risk insurers only provide incident response coverage for personally identifiable information to remediate identity theft. |
| Proof of loss expenses are covered | Possibly – some competitors provide small sub limits of coverage and others provide none. | The cost of proving a loss can be hundreds of thousands of dollars in some cases. SafeLaw provides coverage for proving a loss including technical forensics and forensic accounting and there are no sub limits. |
| No War or Terrorism or Exclusions | No – Other cyber risk policies have war and/or terrorism exclusions. We are currently the only provider offering coverage without a war or terrorism exclusion. | Many cyber attacks are classified as terrorist acts, so most polices impose significant limitations on coverage by having a terrorism exclusion. SafeLaw has no terrorism Exclusion. |
THIRD PARTY LIABILITY COVERAGE FEATURES
Many cyber attacks are classified as terrorist acts, so most polices impose significant limitations on coverage by having a terrorism exclusion. SafeLaw has no terrorism Exclusion.
| SafeLaw Coverage Features | Competitors Cyber Risk Policies | Benefits |
|---|---|---|
| Enterprise wide data coverage | Possibly – Many insurers cover data just in the insured’s computer system. | Coverage for all of the firm's confidential data (not just personally identifiable information) is included in SafeLaw. |
| Regulatory violations, ethics violations, disciplinary proceedings fines and penalties coverage for all covered perils with no sub limits. | No – Competing products cover privacy regulatory actions and usually have sub limits of coverage. | Regulatory coverage expanded to include regulatory, disciplinary and administrative proceedings unique to the legal industry as well as the associated and fines and penalties. |
| Softened hammer clause | Possibly | Consent to settle language is 50/50 in SafeLaw. |
| Vicarious liability coverage | Possibly – sometimes available by endorsement | Coverage is included for breaches and disclosures of data wherever they happen, even by a service provider or at an outsourced location. |
| Physical theft of data and accidental disclosure coverage | Rarely | Coverage for data breaches includes physical and accidental perils such as loss of a laptop by an employee or theft of equipment. |
| No professional services exclusion | Possibly | SafeLaw policy provides protection for cyber losses even when they occur during the course of professional services |
| SEC, RICO, pollution, EPLI and other exclusions are carved back | No | Carves back coverage for firms that provide services to industries or in areas that may be impacted by such exclusions. |
| SafeLaw Coverage Features | Competitors Cyber Risk Policies | Benefits |
|---|---|---|
| Enterprise wide data coverage | Possibly – Many insurers cover data just in the insured’s computer system. | Coverage for all of the firm's confidential data (not just personally identifiable information) is included in SafeLaw. |
| Regulatory violations, ethics violations, disciplinary proceedings fines and penalties coverage for all covered perils with no sub limits. | No – Competing products cover privacy regulatory actions and usually have sub limits of coverage. | Regulatory coverage expanded to include regulatory, disciplinary and administrative proceedings unique to the legal industry as well as the associated and fines and penalties. |
| Softened hammer clause | Possibly | Consent to settle language is 50/50 in SafeLaw. |
| Vicarious liability coverage | Possibly – sometimes available by endorsement | Coverage is included for breaches and disclosures of data wherever they happen, even by a service provider or at an outsourced location. |
| Physical theft of data and accidental disclosure coverage | Rarely | Coverage for data breaches includes physical and accidental perils such as loss of a laptop by an employee or theft of equipment. |
| No professional services exclusion | Possibly | SafeLaw policy provides protection for cyber losses even when they occur during the course of professional services |
| SEC, RICO, pollution, EPLI and other exclusions are carved back | No | Carves back coverage for firms that provide services to industries or in areas that may be impacted by such exclusions. |
Wrap Overview
Lawyers Professional Liability Insurance (“LPL”) policies were originally built to cover lawyers for professional malpractice. The first LPL policies provided attorneys with liability coverage for errors or omissions committed in the course of providing professional legal services resulting in financial loss suffered by clients. Although LPL policies have evolved to cover a broader range of legal services and some peripheral exposures such as employment practices, personal and advertising injury, most LPL policies available today still limit coverage to professional malpractice only. LPL policies were not designed to cover cyber risk and LPL insurers don’t underwrite the exposure or charge a premium for it. As such, many gaps in coverage exist and LPL insurers decline cyber risk claims submitted under LPL policies even when there isn’t a specific cyber risk exclusion or in instances where coverage appears to fall into a gray area. Please see the table below for a high level overview of common coverage in LPL policies for cyber risk.
THIRD PARTY LIABILITY
| Risk | Defense Expenses | Damages, Fines and Penalties | Remediation Expenses |
|---|---|---|---|
| Liability for confidential data (NPI, PII) breaches and loss remediation expenses | Defense expenses could arguably covered in broad “duty to defend” LPL policies, but regulatory investigations and defense are not. | While some types of civil damages may be covered, consumer redress, regulatory fines and penalties are not likely covered. | No coverage for notification expenses and remediation solutions provided to affected parties. |
| Liability for damage to the electronic property of others or transmission of a computer attack | Loss of client data may be covered. Damage to data of others (non- clients) or transmission of a computer attack probably won’t be covered. | A small sliver of coverage for damage to client data may exist. Damages for other suits are arguably not covered. | No coverage for cleanup, repairs, and notification expenses. |
| Liability for performance delays or failure to deliver services. | Although some LPL policies have exclusionary language many LPL insurers will provide this coverage for performance failure or delay when caused by cyber risk. However, regulatory coverage for such failures | Many LPL policies will provide coverage for compensatory and punitive damages. In most cases regulatory damages are not covered. | LPL policies do not appear to provide coverage for remediation or re-performance of services. |
| Advertising and publishing liability | Some LPL policies provide limited personal injury coverage, so defense costs for certain media perils may be covered. | Damages for covered media perils may be covered, but regulatory fines and penalties are probably not covered | Costs associated with cleanup, withdrawal or corrections are not typically covered in LPL policies |
| Risk | Defense Expenses | Damages, Fines and Penalties | Remediation Expenses |
|---|---|---|---|
| Liability for confidential data (NPI, PII) breaches and loss remediation expenses | Defense expenses could arguably covered in broad “duty to defend” LPL policies, but regulatory investigations and defense are not. | While some types of civil damages may be covered, consumer redress, regulatory fines and penalties are not likely covered. | No coverage for notification expenses and remediation solutions provided to affected parties. |
| Liability for damage to the electronic property of others or transmission of a computer attack | Loss of client data may be covered. Damage to data of others (non- clients) or transmission of a computer attack probably won’t be covered. | A small sliver of coverage for damage to client data may exist. Damages for other suits are arguably not covered. | No coverage for cleanup, repairs, and notification expenses. |
| Liability for performance delays or failure to deliver services. | Although some LPL policies have exclusionary language many LPL insurers will provide this coverage for performance failure or delay when caused by cyber risk. However, regulatory coverage for such failures | Many LPL policies will provide coverage for compensatory and punitive damages. In most cases regulatory damages are not covered. | LPL policies do not appear to provide coverage for remediation or re-performance of services. |
| Advertising and publishing liability | Some LPL policies provide limited personal injury coverage, so defense costs for certain media perils may be covered. | Damages for covered media perils may be covered, but regulatory fines and penalties are probably not covered | Costs associated with cleanup, withdrawal or corrections are not typically covered in LPL policies |
FIRST PARTY LIABILITY
| Risk | Direct & Consequential Loss | Proof of Loss Costs | Remediation Expenses |
|---|---|---|---|
| Damage to your electronic property | Arguably Not Covered | Arguably Not Covered | Arguably Not Covered |
| Disruption of your computer system resulting in lost income and extra expense | Arguably Not Covered | Arguably Not Covered | Arguably Not Covered |
| Fraudulent Funds Transfers | Arguably Not Covered | Arguably Not Covered | Arguably Not Covered |
| Ransomware and Electronic Extortion | Arguably Not Covered | Arguably Not Covered | Arguably Not Covered |
| Risk | Direct & Consequential Loss | Proof of Loss Costs | Remediation Expenses |
|---|---|---|---|
| Damage to your electronic property | Arguably Not Covered | Arguably Not Covered | Arguably Not Covered |
| Disruption of your computer system resulting in lost income and extra expense | Arguably Not Covered | Arguably Not Covered | Arguably Not Covered |
| Fraudulent Funds Transfers | Arguably Not Covered | Arguably Not Covered | Arguably Not Covered |
| Ransomware and Electronic Extortion | Arguably Not Covered | Arguably Not Covered | Arguably Not Covered |
Structuring Cyber Risk Insurance for Law Firms
Structuring cyber risk coverage for law firms is unique because many LPL policies have narrow bands of coverage for cyber risk that conflict with coverage in cyber risk policies. Such coverage conflicts frequently result in a myriad of problems including coverage gaps, overpaying for coverage, other insurance provisions being triggered, multiple deductibles that must be satisfied, and lengthy disputes with multiple insurers. These issues make structuring proper cyber risk coverage that much more important and difficult for law firms than for other industries.
Designed correctly, a cyber risk insurance policy covers a broad range of new risks and fills gaps in the firm’s other liability and property insurance policies without duplicating coverage. SafeLaw uses a specialized policy structure called “difference in conditions” to address cyber risk needs of law firms without conflicting with LPL policy coverage. A difference in conditions policy is a very broad policy crafted to fill gaps in other insurance policies without creating coverage gaps or overlaps. SafeLaw also has a radically different construction that is designed to provide:
- primary cyber risk coverage when the firms LPL policy doesn’t provide coverage for a particular claim;
- excess cyber risk coverage when the firms LPL does provide coverage for a particular claim; or
- co-primary cyber risk coverage when the firms LPL provides partial coverage for a particular claim.
It is the optimal structure for a providing flexible, inexpensive and seamless coverage for law firm cyber risks. Please see the chart below for more information on a how the SafeLaw policy works compared to traditional cyber risk insurance.
Standard cyber risk insurance is a separate tower of defined perils coverage. It does not interact with the other policies in the program, resulting in multiple deductibles, coverage conflicts and gaps in coverage
The SafeLaw policy structure is a separate tower of cyber risk coverage that wraps around the LPL policy. Depending on the claim, SafeLaw can be primary, excess or even both.
How does DIC Work?
Lawyers professional liability (“LPL”) coverage and cyber risk coverage frequently overlap on cyber risk claims. It’s especially true with third party liability cyber risk claims because most LPL policies have broad E&O triggers without an exclusion for cyber risk. Coverage overlaps cause big problems with claims, including application of multiple deductibles, finger pointing by insurers, and extended time periods before claims are paid by insurers. Therefore, we designed SafeLaw to address these issues. SafeLaw is designed to cover third party liability cyber risk claims on a difference in conditions (“D.I.C.”) wrap basis to dovetail with coverage in the LPL. In addition, we developed deductible wording to ensure the client is only responsible for a single deductible even when both the LPL and the cyber risk policies covered the claim. The third-party liability wording is split into 3 parts to contemplate all of the coverage possible scenarios. A summary of the cyber risk coverage scenarios and coverage mechanics is outlined below:
- Insuring Agreement F1: When LPL does not provide any coverage for a cyber risk claim, SafeLaw provides primary coverage excess of the SafeLaw deductible.
- Insuring Agreement F2: When the LPL provides full coverage for a cyber risk claim:
- and the LPL deductible is greater than the SafeLaw deductible:
- SafeLaw provides primary coverage excess of the SafeLaw deductible up to the amount of the LPL deductible (“infilling” the LPL deductible); and
- SafeLaw provides excess coverage over the limit of the LPL policy.
- and the LPL deductible is less than or equal to the SafeLaw deductible:
- the LPL provides primary coverage excess of the LPL deductible; and
- SafeLaw will provide excess coverage over the limit of the LPL policy. The SafeLaw deductible applies, but is reduced by amounts paid under the LPL (deductible or limit), which results in the SafeLaw deductible being $0.
- and the LPL deductible is greater than the SafeLaw deductible:
- Insuring Agreement F3: When the LPL provides partial coverage for a cyber risk claim:
- and the LPL deductible is greater than the SafeLaw deductible:
- SafeLaw provides primary coverage excess of the SafeLaw deductible up to the amount of the LPL deductible for the part of the claim covered by the LPL policy; and
- SafeLaw provides primary coverage excess of the SafeLaw deductible for the part of the claim not covered by the LPL; and
- and SafeLaw provides excess coverage over the limit of the LPL policy for the part of the claim covered by the LPL policy.
- and the LPL deductible is less than or equal to the SafeLaw deductible:
- SafeLaw provides primary coverage for the part of the claim not covered by the LPL. The SafeLaw deductible applies, but is eroded by amounts paid under the LPL (deductible or limit), which in results in the SafeLaw deductible being $0; and
- SafeLaw provides excess coverage over the limit of the LPL policy for the part of the claim that is covered by the LPL policy. The SafeLaw deductible applies, but is reduced by amounts paid under the LPL (deductible or limit), which results in the SafeLaw deductible being $0.
- and the LPL deductible is greater than the SafeLaw deductible: